The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Foreman | Theforeman | * | 1.11.3 (including) |
| Foreman | Theforeman | 1.12.0 (including) | 1.12.0 (including) |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-0:1.11.0.51-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-installer-1:1.11.0.10-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-proxy-0:1.11.0.5-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | pulp-0:2.8.3.4-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | satellite-0:6.2.1-1.2.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-foreman_discovery-0:5.0.0.9-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-hammer_cli_foreman_admin-0:0.0.5-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-hammer_cli_katello-0:0.0.22.25-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-katello-0:3.0.0.70-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-ovirt_provision_plugin-0:1.0.2-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-0:1.11.0.51-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-installer-1:1.11.0.10-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | foreman-proxy-0:1.11.0.5-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | pulp-0:2.8.3.4-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | satellite-0:6.2.1-1.2.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-foreman_discovery-0:5.0.0.9-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-hammer_cli_foreman_admin-0:0.0.5-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-hammer_cli_katello-0:0.0.22.25-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-katello-0:3.0.0.70-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 6 | RedHat | tfm-rubygem-ovirt_provision_plugin-0:1.0.2-1.el6sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-0:1.11.0.51-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-installer-1:1.11.0.10-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-proxy-0:1.11.0.5-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | pulp-0:2.8.3.4-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | satellite-0:6.2.1-1.2.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-foreman_discovery-0:5.0.0.9-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-hammer_cli_foreman_admin-0:0.0.5-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-hammer_cli_katello-0:0.0.22.25-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-katello-0:3.0.0.70-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-ovirt_provision_plugin-0:1.0.2-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-0:1.11.0.51-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-installer-1:1.11.0.10-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | foreman-proxy-0:1.11.0.5-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | pulp-0:2.8.3.4-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | satellite-0:6.2.1-1.2.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-foreman_discovery-0:5.0.0.9-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-hammer_cli_foreman_admin-0:0.0.5-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-hammer_cli_katello-0:0.0.22.25-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-katello-0:3.0.0.70-1.el7sat | * |
| Red Hat Satellite 6.2 for RHEL 7 | RedHat | tfm-rubygem-ovirt_provision_plugin-0:1.0.2-1.el7sat | * |
References
- http://projects.theforeman.org/issues/15268
- http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
- http://www.securityfocus.com/bid/92125
- https://access.redhat.com/errata/RHBA-2016:1615
- https://theforeman.org/security.html#2016-4475
- http://projects.theforeman.org/issues/15268
- http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
- http://www.securityfocus.com/bid/92125
- https://access.redhat.com/errata/RHBA-2016:1615
- https://theforeman.org/security.html#2016-4475