CVE-2016-7078

medium

Description

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

References

https://theforeman.org/security.html#2016-7078

https://seclists.org/oss-sec/2017/q1/470

https://projects.theforeman.org/issues/16982

https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078

http://www.securityfocus.com/bid/96385

Details

Source: Mitre, NVD

Published: 2018-09-10

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium