Project

General

Profile

Actions

Bug #5436

closed

CVE-2014-0192 - provisioning templates are world accessible

Added by Ohad Levy almost 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Unattended installations
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

since 1e0fd283 it is possible to override spoof by providing a hostname parameters.

this would allow to retrieve any template of any host bypassing authentication.


Related issues 1 (0 open1 closed)

Has duplicate Foreman - Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAMEDuplicate04/26/2014Actions
Actions #1

Updated by Ohad Levy almost 10 years ago

a simple example using curl:

curl http://0.0.0.0:3000/unattended/provision\?hostname\=abc

Actions #2

Updated by Dominic Cleal almost 10 years ago

Hm, I think I see from the code - we're only applying the authorisation filters when the spoof parameter isn't used, in the assumption that this is the only parameter needing protection. Bit messy.

This has probably been in since 5b70f0e0 / #359, so Foreman 1.4.0 and above are affected.

Actions #3

Updated by Dominic Cleal almost 10 years ago

  • Private changed from Yes to No

Removing private flag as it's been reported publicly.

Actions #4

Updated by Dominic Cleal almost 10 years ago

  • Has duplicate Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAME added
Actions #5

Updated by Ohad Levy almost 10 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ohad Levy
Actions #6

Updated by Ohad Levy almost 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #7

Updated by Dominic Cleal almost 10 years ago

  • Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible
Actions #8

Updated by Dominic Cleal almost 10 years ago

  • translation missing: en.field_release changed from 4 to 17

Fix available in 1.5.0-RC2 and above.

Actions

Also available in: Atom PDF