Main Vulnerability Database Vulnerabilities #VU36709

Information disclosure in Foreman - CVE-2016-7077

Published: September 10, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36709

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-7077

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Foreman

Affected software:
Foreman

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

foreman before 1.14.0 is vulnerable to an information leak. It was found that Foreman form helper does not authorize options for associated objects. Unauthorized user can see names of such objects if their count is less than 6.

How to mitigate CVE-2016-7077

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/94230
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7077
https://projects.theforeman.org/issues/16971
https://theforeman.org/security.html#2016-7077

Information disclosure in Foreman - CVE-2016-7077

Detailed vulnerability description

How to mitigate CVE-2016-7077

Sources

Please verify you're human