[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2016-2100: Foreman private bookmarks can be viewed and edited
From:       Dominic Cleal <dominic () cleal ! org>
Date:       2016-03-31 8:19:40
Message-ID: 56FCDD9C.7090000 () cleal ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


CVE-2016-2100: Foreman allows read and write access to search bookmarks
set as 'private' to other users.

Bookmarks can be stored for quick access to frequent searches in the
Foreman web UI, which can be used to filter lists of hosts and other
objects.  These are either marked private or public, however the UI and
API for users to manage their bookmarks listed all bookmarks, including
private bookmarks of other users.  This allowed them to be viewed,
edited, or deleted.

Affects: Foreman 0.3 or higher
Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2

Patch:
https://github.com/theforeman/foreman/commit/a61344da14f73920b4bdc7ad8220e7a0ed998031

More information:
http://theforeman.org/security.html#2016-2100
http://projects.theforeman.org/issues/13828
http://theforeman.org/

-- 
Dominic Cleal
dominic@cleal.org


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]