Bug #10469
Updated by Lukas Zapletal over 9 years ago
This was reported Reported by Ori Rabin to foreman-security (thanks!) and a - thanks! CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version. is CVE-2015-3199. Low severity in my opinion. Affects Foreman Discovery 2.x and 3.x. *** Steps to reproduce: # log in with a user that has 2 locations (A, B) # discover a host and make sure it is connected to location B # create a hostgroup in location A # create a discovery rule in location B to match the discovered host and use the hostgroup from 3 # log in with a user with permissions to location B only # you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup) # auto provision the discovered host # go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for *** The rule creation should enforce that the selected host group is in the same org/location as the rule itself. Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.