CVE-2016-7078
foreman: Information leak through organizations and locations feature
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Foreman en versiones anteriores a la 1.15.0 es vulnerable a una fuga de información mediante la funcionalidad de organizaciones y ubicaciones. Cuando se le asigna a un usuario _no_ organizaciones/ubicaciones, pueden ver todos los recursos en lugar de ninguno (copiando la vista de administrador). Las acciones del usuario siguen estando limitadas por sus permisos asignados, esto es, para controlar la vista, la edición y la eliminación
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-23 CVE Reserved
- 2018-09-10 CVE Published
- 2024-06-25 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-285: Improper Authorization
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/96385 | Third Party Advisory | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078 | Issue Tracking | |
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905 | Third Party Advisory | |
https://seclists.org/oss-sec/2017/q1/470 | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://projects.theforeman.org/issues/16982 | 2023-11-07 | |
https://theforeman.org/security.html#2016-7078 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2016-7078 | 2018-02-21 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1386244 | 2018-02-21 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Theforeman Search vendor "Theforeman" | Foreman Search vendor "Theforeman" for product "Foreman" | 1.15.0 Search vendor "Theforeman" for product "Foreman" and version "1.15.0" | - |
Affected
|