The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
References
Link | Resource |
---|---|
http://projects.theforeman.org/issues/15182 | Vendor Advisory |
http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c | Patch Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:0336 | |
https://theforeman.org/security.html#2016-4451 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2016-08-19T21:00:00
Updated: 2018-02-22T10:57:01
Reserved: 2016-05-02T00:00:00
Link: CVE-2016-4451
JSON object: View
NVD Information
Status : Modified
Published: 2016-08-19T21:59:08.337
Modified: 2023-02-12T23:21:20.167
Link: CVE-2016-4451
JSON object: View
Redhat Information
No data.
CWE