Information disclosure in Foreman - CVE-2016-7078
Published: September 10, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36710
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7078
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Foreman
Affected software:
Foreman
Foreman
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
How to mitigate CVE-2016-7078
Install update from vendor's website.
Sources
- http://www.securityfocus.com/bid/96385
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
- https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
- https://projects.theforeman.org/issues/16982
- https://seclists.org/oss-sec/2017/q1/470
- https://theforeman.org/security.html#2016-7078