CVE-2015-5233

foreman: reports show/destroy not restricted by host authorization

Severity Score

4.2

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.

Foreman en versiones anteriores a 1.8.4 y 1.9.x en versiones anteriores a 1.9.1 no aplica correctamente los permisos view_hosts, lo que permite (1) a usuarios remotos autenticados con el permiso view_reports leer informes desde hosts arbitrarios o (2) a usuarios remotos autenticados con el permiso destroy_reports borrar informes desde hosts arbitrarios a través del acceso directo a (a) las páginas show/delete del informe individual o (b) APIs.

A flaw was discovered where Satellite failed to properly enforce permissions on the show and delete actions for reports. An authenticated user with show or delete report permissions could use this flaw to view or delete any reports held in Foreman.

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. The following security issue is addressed with this release: Satellite failed to properly enforce permissions on the show and destroy actions for reports. This could lead to an authenticated user with show and/or destroy report permissions being able to view and/or delete any reports held in Foreman.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-07-01 CVE Reserved
2015-12-15 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-284: Improper Access Control

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
http://projects.theforeman.org/issues/11579	2023-02-13

URL	Date	SRC
http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization	2023-02-13
https://access.redhat.com/errata/RHSA-2015:2622	2023-02-13
https://access.redhat.com/security/cve/CVE-2015-5233	2015-12-15
https://bugzilla.redhat.com/show_bug.cgi?id=1262443	2015-12-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Theforeman Search vendor "Theforeman"		Foreman Search vendor "Theforeman" for product "Foreman"				<= 1.8.3 Search vendor "Theforeman" for product "Foreman" and version " <= 1.8.3"		-		Affected
Theforeman Search vendor "Theforeman"		Foreman Search vendor "Theforeman" for product "Foreman"				1.9.0 Search vendor "Theforeman" for product "Foreman" and version "1.9.0"		-		Affected
Redhat Search vendor "Redhat"		Satellite Search vendor "Redhat" for product "Satellite"				6.1 Search vendor "Redhat" for product "Satellite" and version "6.1"		-		Affected