Project

General

Profile

Bug #10469

Updated by Dominic Cleal over 9 years ago

Reported by Ori Rabin to foreman-security - thanks! 

 Will be assigned a CVE identifier is CVE-2015-3199. in due course.    Low severity in my opinion. 

 Affects Foreman Discovery 2.x and 3.x. 

 *** 

 Steps to reproduce: 
 # log in with a user that has 2 locations (A, B) 
 # discover a host and make sure it is connected to location B 
 # create a hostgroup in location A 
 # create a discovery rule in location B to match the discovered host and use the hostgroup from 3 
 # log in with a user    with permissions to location B only 
 # you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup) 
 # auto provision the discovered host 
 # go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for 

 *** 

 The rule creation should enforce that the selected host group is in the same org/location as the rule itself. 

 Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.

Back