CVE-2019-10198 – foreman: authorization bypasses in foreman-tasks leading to information disclosure

https://notcve.org/view.php?id=CVE-2019-10198

An authentication bypass vulnerability was discovered in foreman-tasks before 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task. Se descubrió una vulnerabilidad de identificación de bypass en foreman-tasks anterior a 0.15.7. anteriormente las tareas de confirmación fueron buscadas a través de find_resoruce, la cual realizó verificaciones de autorización. Después de cambiar a foreman, un usuario no identificado poder visualizar los detalles de una tarea a través de la web UI o API, si pueden descubrir o adivinar la tarea. • https://access.redhat.com/errata/RHSA-2019:3172 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10198 https://projects.theforeman.org/issues/27275 https://access.redhat.com/security/cve/CVE-2019-10198 https://bugzilla.redhat.com/show_bug.cgi?id=1729130 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-592: DEPRECATED: Authentication Bypass Issues •