Bug #5436
closed
CVE-2014-0192 - provisioning templates are world accessible
Added by Ohad Levy over 10 years ago.
Updated about 6 years ago.
Category:
Unattended installations
|
Description
since 1e0fd283 it is possible to override spoof by providing a hostname parameters.
this would allow to retrieve any template of any host bypassing authentication.
a simple example using curl:
curl http://0.0.0.0:3000/unattended/provision\?hostname\=abc
Hm, I think I see from the code - we're only applying the authorisation filters when the spoof parameter isn't used, in the assumption that this is the only parameter needing protection. Bit messy.
This has probably been in since 5b70f0e0 / #359, so Foreman 1.4.0 and above are affected.
- Private changed from Yes to No
Removing private flag as it's been reported publicly.
- Has duplicate Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAME added
- Status changed from New to Ready For Testing
- Assignee set to Ohad Levy
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
- Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible
- Translation missing: en.field_release changed from 4 to 17
Fix available in 1.5.0-RC2 and above.
Also available in: Atom
PDF