An authentication bypass vulnerability exists in foreman-tasks prior to 0.15.7. Previously, commit tasks were searched through find_resource, which performed authorization checks. After the change to Foreman, an unauthenticated user can view the details of a task through the web UI or API, if they can discover or guess the UUID of the task.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
theforeman foreman-tasks |
||
redhat satellite 6.6 |