The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Openstack | Redhat | 3.0 (including) | 3.0 (including) |
Foreman | Theforeman | * | 1.2.0 (including) |
Foreman | Theforeman | 1.1 (including) | 1.1 (including) |