oss-sec mailing list archives

CVE-2016-5390: Foreman information disclosure in host interfaces/parameters API

From: Dominic Cleal <dominic () cleal org>
Date: Mon, 25 Jul 2016 16:22:20 +0100

CVE-2016-5390: Foreman information disclosure in host
interfaces/parameters APIs

Non-admin users with the view_hosts permission containing a filter are
able to access API routes beneath "hosts" such as GET
/api/v2/hosts/secrethost/interfaces without the filter being taken into
account. This allows users to access network interface details
(including BMC login details) for any host.

The filter is only correctly used when accessing the main host details
(/api/v2/hosts/secrethost). Access to the "nested" routes, which
includes interfaces, reports, parameters, audits, facts and Puppet
classes, is not authorized beyond requiring any view_hosts permission.

Affects Foreman 1.10.0 and higher
Fix released in Foreman 1.12.1 and 1.11.4

Patch:
https://github.com/theforeman/foreman/commit/7a86dcfe6b36dd43cd6163ce70599e53f09cc217

More information:
https://theforeman.org/security.html#2016-5390
http://projects.theforeman.org/issues/15653
https://theforeman.org

-- 
Dominic Cleal
dominic () cleal org

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE-2016-5390: Foreman information disclosure in host interfaces/parameters API Dominic Cleal (Jul 25)