Bug #23028

CVE-2018-1096: SQL injection in dashboard controller

Added by Tomer Brisker 3 months ago. Updated 3 months ago.

Status:Closed
Priority:High
Assigned To:Tomer Brisker
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release:1.9.0 Pull request:https://github.com/theforeman/foreman/pull/5365, https://github.com/theforeman/foreman/pull/5364, https://github.com/theforeman/foreman/pull/5363
Story points-
Velocity based estimate-
Release1.16.1Release relationshipAuto

Description

Widget id is not properly escaped for save_positions action on the dashboard, leading to SQL injection possibility.
This only allows injecting conditions to the select conditions, as it is a prepared query it does not allow executing additional commands.
It is only available to authenticated users.

This issue was reported by Martin Povolný from Red Hat.


Related issues

Related to Foreman - Refactor #8106: Save dashboard widgets in DB to increase flexibility Closed 10/26/2014

Associated revisions

Revision 274665e2
Added by Martin Povolny 3 months ago

Fixes #23028 - Properly escape params passed to where (CVE-2018-1096) (#5363)

History

#1 Updated by Tomer Brisker 3 months ago

  • Description updated (diff)

#2 Updated by Tomer Brisker 3 months ago

  • Related to Refactor #8106: Save dashboard widgets in DB to increase flexibility added

#3 Updated by Tomer Brisker 3 months ago

  • Private changed from Yes to No
  • Subject changed from SQL injection in dashboard controller to CVE-2018-1096: SQL injection in dashboard controller

#4 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5363 added

#5 Updated by Tomer Brisker 3 months ago

  • Release set to 1.16.1

#6 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5364 added

#7 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5365 added

#8 Updated by Martin Povolny 3 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF