CVE-2016-7078

Sažetak

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

Reference

https://theforeman.org/security.html#2016-7078
https://seclists.org/oss-sec/2017/q1/470
https://projects.theforeman.org/issues/16982
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
http://www.securityfocus.com/bid/96385

CVSS

Base:	4.0
Impact:	2.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

07-11-2023 - 02:34

Objavljeno

10-09-2018 - 15:29