Bug #10469

Updated by Lukas Zapletal over 6 years ago

This was reported Reported by Ori Rabin to foreman-security (thanks!) and a - thanks!

CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version. is CVE-2015-3199. Low severity in my opinion.

Affects Foreman Discovery 2.x and 3.x.


Steps to reproduce:
# log in with a user that has 2 locations (A, B)
# discover a host and make sure it is connected to location B
# create a hostgroup in location A
# create a discovery rule in location B to match the discovered host and use the hostgroup from 3
# log in with a user with permissions to location B only
# you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
# auto provision the discovered host
# go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for


The rule creation should enforce that the selected host group is in the same org/location as the rule itself.

Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.