Vulnerability CVE-2016-7078
Published: 2018-09-10

Description:
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Theforeman -> Foreman 

 References:
http://www.securityfocus.com/bid/96385
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
https://projects.theforeman.org/issues/16982
https://seclists.org/oss-sec/2017/q1/470
https://theforeman.org/security.html#2016-7078
Copyright 2024, cxsecurity.com

 

Back to Top