Project

General

Custom queries

Profile

Actions
Copy link

Bug #5436

closed

CVE-2014-0192 - provisioning templates are world accessible

Added by Ohad Levy almost 11 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ohad Levy
Category:
Unattended installations
Target version:
1.4.4
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
1.4.0
Red Hat JIRA:

Description

since 1e0fd283 it is possible to override spoof by providing a hostname parameters.

this would allow to retrieve any template of any host bypassing authentication.

Related issues 1 (0 open1 closed)

Has duplicate Foreman - Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAMEDuplicate04/26/2014Actions
#2

Updated by Dominic Cleal almost 11 years ago

#3

Updated by Dominic Cleal almost 11 years ago

  • Private changed from Yes to No
#4

Updated by Dominic Cleal almost 11 years ago

  • Has duplicate Bug #5463: No authentication required for /unattended/provision?hostname=HOSTNAME added
#5

Updated by Ohad Levy almost 11 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ohad Levy
#6

Updated by Ohad Levy almost 11 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
#7

Updated by Dominic Cleal almost 11 years ago

  • Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible
#8

Updated by Dominic Cleal almost 11 years ago

  • Translation missing: en.field_release changed from 4 to 17
Actions
Copy link

Also available in: Atom PDF