CVE-2016-7078
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned no organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Foreman | foreman | 1.15.0 | affected |
Weaknesses
- CWE-285: CWE-285
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
- http://www.securityfocus.com/bid/96385
- https://theforeman.org/security.html#2016-7078
- https://projects.theforeman.org/issues/16982
- https://seclists.org/oss-sec/2017/q1/470
References
- https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
- http://www.securityfocus.com/bid/96385
- https://theforeman.org/security.html#2016-7078
- https://projects.theforeman.org/issues/16982
- https://seclists.org/oss-sec/2017/q1/470
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.