Published: 19/08/2016 Updated: 12/02/2023

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

CVSS v3 Base Score: 5 | Impact Score: 3.4 | Exploitability Score: 1.6

VMScore: 534

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

The (1) Organization and (2) Locations APIs in Foreman prior to 1.11.3 and 1.12.x prior to 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

Vulnerable Product	Search on Vulmon	Subscribe to Product
theforeman foreman 1.12.0
theforeman foreman

Synopsis Important: Satellite 63 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat SatelliteRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ...

It was found that Satellite 6 did not properly enforce access controls on certain resources An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations ...

CWE-254 http://projects.theforeman.org/issues/15182 http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c https://theforeman.org/security.html#2016-4451 https://access.redhat.com/errata/RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2016-4451

CVE-2016-4451

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect