Bug #5436
CVE-2014-0192 - provisioning templates are world accessible
Description
since 1e0fd283 it is possible to override spoof by providing a hostname parameters.
this would allow to retrieve any template of any host bypassing authentication.
Related issues
Associated revisions
fixes #5436 - provisioning templates are world accessible
(cherry picked from commit aa0ebe8eef311875695135c1714cb09225e8cd13)
fixes #5436 - provisioning templates are world accessible
(cherry picked from commit aa0ebe8eef311875695135c1714cb09225e8cd13)
History
#1
Updated by Ohad Levy almost 9 years ago
a simple example using curl:
curl http://0.0.0.0:3000/unattended/provision\?hostname\=abc
#2
Updated by Dominic Cleal almost 9 years ago
Hm, I think I see from the code - we're only applying the authorisation filters when the spoof parameter isn't used, in the assumption that this is the only parameter needing protection. Bit messy.
This has probably been in since 5b70f0e0 / #359, so Foreman 1.4.0 and above are affected.
#3
Updated by Dominic Cleal almost 9 years ago
- Private changed from Yes to No
Removing private flag as it's been reported publicly.
#4
Updated by Dominic Cleal almost 9 years ago
- Has duplicate Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAME added
#5
Updated by Ohad Levy almost 9 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ohad Levy
#6
Updated by Ohad Levy almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset aa0ebe8eef311875695135c1714cb09225e8cd13.
#7
Updated by Dominic Cleal almost 9 years ago
- Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible
#8
Updated by Dominic Cleal almost 9 years ago
- Legacy Backlogs Release (now unused) changed from 4 to 17
Fix available in 1.5.0-RC2 and above.
fixes #5436 - provisioning templates are world accessible