Bug #2630
closedUsers with create/edit user permissions can escalate to admin
Description
Any non-admin user with permissions to create or edit other users is able to change the admin flag, or assign roles that they themselves don't have, enabling a privilege escalation.
By default, Foreman ships with a "Site manager" role which has the edit_users permission. Any user assigned this role, or another with equivalent permissions, would be able to enable the admin flag or other roles on a user account.
This security issue has been assigned the identifier CVE-2013-2113. It affects all Foreman versions prior to 1.2.0-RC2.
Thank you to Ramon de C Valle for identifying and notifying us of this vulnerability.
Updated by Dominic Cleal over 11 years ago
- Priority changed from Normal to Urgent
Updated by Dominic Cleal over 11 years ago
Patches have been committed to develop and 1.2-stable branches. Foreman 1.2.0-RC2 will contain a fix.
Foreman 1.1 stable users may apply the following patch: https://github.com/theforeman/foreman/commit/7eadf32c.patch
Updated by Marek Hulán over 11 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 7eadf32c83381aadc092cded68efff04ef20e07a.