Project

General

Profile

Actions
Copy link

Bug #19612

closed

CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization

Added by Marek Hulán over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marek Hulán
Category:
Security
Target version:
1.15.1
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/4545
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

it has been found that user with *_users permission who is assigned to some
organization(s) can do all operations granted by these permissions on all
administrator user objects. We consider admin to effectively be present in
all organizations, which was the motivation for displaying them in every context.

On one hand, it make sense from technical point of view. On the other hand,
it's unexpected and user that is supposed to have access to his/her
organizations can edit global admin accounts including changing their
passwords.

The problem seems to be present since Foreman 1.5 [1] where nesting of
organizations was introduced [2]. The fix seems to be straightforward, add
admin ids to the set only if User.current.admin? in Taxonomix module [3]

[1] http://projects.theforeman.org/issues/3912
[2] https://github.com/theforeman/foreman/commit/
1fa008a4#diff-501156756cdcbc510254e30f9e2a29daR40
[3] https://github.com/theforeman/foreman/blob/develop/app/models/concerns/
taxonomix.rb#L85

Related issues 3 (0 open3 closed)

Related to Katello - Bug #19664: Upcoming security fix in Foreman breaks Katello testsClosedMarek Hulán05/25/2017Actions
Related to foreman-tasks - Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middlewareClosedMarek Hulán05/30/2017Actions
Related to Foreman - Bug #21782: Notifications for global audience don't workClosedMarek Hulán11/27/2017Actions
Actions
Copy link
 #1

Updated by Marek Hulán over 7 years ago

  • Translation missing: en.field_release set to 248
Actions
Copy link
 #2

Updated by The Foreman Bot over 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4545 added
Actions
Copy link
 #3

Updated by Marek Hulán over 7 years ago

  • Subject changed from User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization to CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization
Actions
Copy link
 #4

Updated by Marek Hulán over 7 years ago

  • Related to Bug #19664: Upcoming security fix in Foreman breaks Katello tests added
Actions
Copy link
 #5

Updated by Marek Hulán over 7 years ago

  • Related to Bug #19704: Upcoming security fix in Foreman breaks KeepCurrentUser middleware added
Actions
Copy link
 #6

Updated by Anonymous over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #7

Updated by Marek Hulán almost 7 years ago

  • Related to Bug #21782: Notifications for global audience don't work added
Actions
Copy link

Also available in: Atom PDF