Bug #6777
open
CVE-2014-8183 - Models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization
Description
While this affects more models in Katello where every model must be silo'd within an Organization, this problem arises in Foreman as well. Thus, a general use validator that lives in Foreman would be the ideal solution.
Foreman Case:
1. Ensure you have a host and a smart proxy
2. Assign host to organization 'Org A'
3. Assign smart proxy ONLY to organization 'Org B'
4. Ensure 'Org A' does not have any smart proxies
5. Note that UI will not present options to set the Puppet CA for the host on the edit screen
6. Via the API:
PUT to /api/v2/hosts/1 { 'puppet_proxy_id': 1 } (the ID of the smart proxy in 'Org B')
7. Smart proxy that is only in 'Org B' will be assigned to host in 'Org A'
Katello Example:
1. Create Product in 'Org A'
2. Create GPG Key in 'Org B'
3. Via the API:
PUT to /katello/api/v2/products/1 - { 'gpg_key_id': 1} (the ID of the gpg key)
7. Gpg Key from another organization can be assigned to product
Updated by Dominic Cleal over 9 years ago
- Category set to Organizations and Locations
Updated by
Updated by The Foreman Bot over 9 years ago
- Status changed from New to Ready For Testing
- Target version set to 1.7.5
- Pull request https://github.com/theforeman/foreman/pull/1654 added
- Pull request deleted (
)
Updated by Anonymous over 9 years ago
- Target version changed from 1.7.5 to 1.7.4
Updated by Anonymous over 9 years ago
- Target version changed from 1.7.4 to 1.7.3
Updated by Dominic Cleal over 9 years ago
- Target version changed from 1.7.3 to 1.7.2
Updated by Tomer Brisker about 8 years ago
- Status changed from Ready For Testing to New
Updated by Tomer Brisker over 6 years ago
- Subject changed from Models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization to CVE-2014-8183 - Models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization