Bug #10469
Updated by Dominic Cleal over 9 years ago
Reported by Ori Rabin to foreman-security - thanks!
Will be assigned a CVE identifier in due course. Low severity in my opinion.
Affects Foreman Discovery 2.x and 3.x.
***
Steps to reproduce:
# log in with a user that has 2 locations (A, B)
# discover a host and make sure it is connected to location B
# create a hostgroup in location A
# create a discovery rule in location B to match the discovered host and use the hostgroup from 3
# log in with a user with permissions to location B only
# you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
# auto provision the discovered host
# go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for
***
The rule creation should enforce that the selected host group is in the same org/location as the rule itself.
Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.