CVE-2015-5233

Sažetak

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.

Reference

http://projects.theforeman.org/issues/11579
http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization
https://access.redhat.com/errata/RHSA-2015:2622

CVSS

Base:	6.0
Impact:	6.4
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

13-02-2023 - 00:52

Objavljeno

11-04-2016 - 21:59