CVE-2015-1844
published 2015-08-14CVE-2015-1844: Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.
PriorityP422medium4CVSS 2.0
AVNACLAuSCPINAN
EPSS
1.93%
77.4th percentile
Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.7.4 | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6gp-x66j-mhw7: Foreman before 1
ghsa_unreviewed·2022-05-14
CVE-2015-1844 [MEDIUM] GHSA-r6gp-x66j-mhw7: Foreman before 1
Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.
Red Hat
foreman: API not scoping resources to taxonomies
vendor_redhat·2015-03-29·CVSS 4.0
CVE-2015-1844 [MEDIUM] CWE-862 foreman: API not scoping resources to taxonomies
foreman: API not scoping resources to taxonomies
Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.
A flaw was found in the way foreman authorized user actions on resources via the API when an organization was not explicitly set. A remote attacker could use this flaw to obtain additional information about resources they were not authorized to access.
Package: foreman (OpenStack Foreman) - Will not fix
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Will not fix
Package: foreman (Red Hat OpenStack Platform 4) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8934 libarchive: out of bounds heap read in RAR parser
bugzilla·2016-06-23·CVSS 5.5
CVE-2015-8934 [MEDIUM] CVE-2015-8934 libarchive: out of bounds heap read in RAR parser
CVE-2015-8934 libarchive: out of bounds heap read in RAR parser
An out of bounds read was found in libarchive's RAR parser. A specially
crafted file could cause the application to read heap memory beyond the end
of the decompression buffer.
Upstream bug:
https://github.com/libarchive/libarchive/issues/521
Upstream fix:
https://github.com/libarchive/libarchive/commit/603454e
Fix included in upstream release v3.2.1.
The vulnerable code was not included in libarchive-2.8.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8930 libarchive: Endless loop in ISO parser
bugzilla·2016-06-23·CVSS 7.5
CVE-2015-8930 [HIGH] CVE-2015-8930 libarchive: Endless loop in ISO parser
CVE-2015-8930 libarchive: Endless loop in ISO parser
A denial of service was discovered in libarchive in the processing of .iso
files. A specially crafted .iso could cause the process to go into an (almost)
endless loop, eventually exiting with an error after hitting memory limits.
libarchive-2.8 does not support the required construct in ISO files.
Upstream bug:
https://github.com/libarchive/libarchive/issues/522
Upstream fix (two parts):
https://github.com/libarchive/libarchive/commit/39fc593
https://github.com/libarchive/libarchive/commit/01cfbca
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/
Bugzilla
CVE-2015-8923 libarchive: Unclear crashes in ZIP parser
bugzilla·2016-06-22·CVSS 6.5
CVE-2015-8923 [MEDIUM] CVE-2015-8923 libarchive: Unclear crashes in ZIP parser
CVE-2015-8923 libarchive: Unclear crashes in ZIP parser
An out-of-bounds read due to incorrect sign extension was found in
libarchive. A specially crafted ZIP file could cause libarchive to
crash. A few bytes of heap memory within a 256-byte region could
potentially be exposed.
Upstream bug:
https://github.com/libarchive/libarchive/issues/514
Upstream fix:
https://github.com/libarchive/libarchive/commit/9e0689c
libarchive-2.8 does not include support for "Info-Zip Unix extra field
(type 3)", where this flaw was found, and is thus unaffected.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-201
Bugzilla
CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser
bugzilla·2016-06-22·CVSS 7.8
CVE-2015-8931 [HIGH] CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser
CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser
Undefined behaviour (signed integer overflow) was discovered in libarchive,
in the MTREE parser's calculation of maximum and minimum dates.
Upstream bug:
https://github.com/libarchive/libarchive/issues/539
Upstream fix:
https://github.com/libarchive/libarchive/commit/b31744d
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
FTR: Also 11f6da24 should be backported.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8922 libarchive: NULL pointer access in 7z parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8922 [MEDIUM] CVE-2015-8922 libarchive: NULL pointer access in 7z parser
CVE-2015-8922 libarchive: NULL pointer access in 7z parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/513
Upstream fix:
https://github.com/libarchive/libarchive/commit/d094dc
libarchive-2.8 does not include support for this format.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8920 libarchive: Stack out of bounds read in ar parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8920 [MEDIUM] CVE-2015-8920 libarchive: Stack out of bounds read in ar parser
CVE-2015-8920 libarchive: Stack out of bounds read in ar parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/511
Upstream fix:
https://github.com/libarchive/libarchive/commit/97f964e
> While pruning trailing text from ar filenames, we did not
> check for an empty filename. This results in reading the
> byte before the filename on the stack.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
Affects: epel-5 [bug 1352775]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1850 https://rhn.redhat.com/errata/RHSA-2016-1850.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-20
Bugzilla
CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8925 [MEDIUM] CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser
CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/516
Upstream fix:
https://github.com/libarchive/libarchive/commit/1e18cbb71
Incorrect parsing of escaped newlines allows a small OOB read.
libarchive-2.8 has less capable mtree parsing which does not include this vulnerability.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8924 [MEDIUM] CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser
CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/515
Upstream fix:
https://github.com/libarchive/libarchive/commit/bb9b157
> Tar reader tries to examine last character of an empty filename
libarchive-2.8 does not appear to be vulnerable in the same way, as it rejects the invalid archive early.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8926 libarchive: NULL pointer access in RAR parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8926 [MEDIUM] CVE-2015-8926 libarchive: NULL pointer access in RAR parser
CVE-2015-8926 libarchive: NULL pointer access in RAR parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/518
Upstream fix:
https://github.com/libarchive/libarchive/commit/aab73938
crafted RAR file can trick libarchive into returning to the caller a 128k block
of data starting at whatever value was previously in the caller's variable.
libarchive-2.8 does not include support for this format.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser
bugzilla·2016-06-21·CVSS 7.5
CVE-2015-8919 [HIGH] CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser
CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/510
Upstream fix:
https://github.com/libarchive/libarchive/commit/e8a2e4d
libarchive-2.8 does not include support for this format.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser
bugzilla·2016-06-21·CVSS 5.5
CVE-2015-8928 [MEDIUM] CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser
CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/550
Upstream fix:
https://github.com/libarchive/libarchive/commit/64d5628
> The mtree parser scanned from the end of the string to identify
> the filename when the filename is the last element of the line.
> If the filename was the entire line, the logic would scan back
> to before the start of the string.
libarchive-2.8 does not include support for this mtree variant.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8917 libarchive: NULL pointer access in CAB parser
bugzilla·2016-06-21·CVSS 7.5
CVE-2015-8917 [HIGH] CVE-2015-8917 libarchive: NULL pointer access in CAB parser
CVE-2015-8917 libarchive: NULL pointer access in CAB parser
Upstream bug:
https://github.com/libarchive/libarchive/issues/505
Upstream Fix (bsdtar only):
https://github.com/libarchive/libarchive/commit/b2e2abb
libarchive-2.8 does not include support for this format.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar
bugzilla·2016-06-21·CVSS 6.5
CVE-2015-8916 [MEDIUM] CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar
CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar
Upstream bug:
https://github.com/libarchive/libarchive/issues/504
Upstream Fix (bsdtar only):
https://github.com/libarchive/libarchive/commit/b2e2abb
libarchive-2.8 does not include support for this format.
Discussion:
Created libarchive tracking bugs for this issue:
Affects: fedora-all [bug 1352776]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1844 https://rhn.redhat.com/errata/RHSA-2016-1844.html
Bugzilla
CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]
bugzilla·2015-04-01·CVSS 4.0
CVE-2015-1844 [MEDIUM] CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]
CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]
+++ This bug was initially created as a clone of Bug #1208071 +++
I created a new user with a dedicated role with the following permissions:
Host/managed: view_hosts
The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.
--- Additional comment from Marek Hulan on 2015-04-01 06:28:17 EDT ---
Created from redmine issue http://projects.theforeman.org/issues/9947
Discussion:
M
Bugzilla
CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.1.0]
bugzilla·2015-04-01·CVSS 4.0
CVE-2015-1844 [MEDIUM] CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.1.0]
CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.1.0]
I created a new user with a dedicated role with the following permissions:
Host/managed: view_hosts
The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.
Discussion:
Created from redmine issue http://projects.theforeman.org/issues/9947
---
Moving to POST since upstream bug http://projects.theforeman.org/issues/9947 has been closed
Marek Hulán
Applied in changeset commit:ab
Bugzilla
CVE-2015-1844 foreman: API not scoping resources to taxonomies
bugzilla·2015-03-31·CVSS 4.0
CVE-2015-1844 [MEDIUM] CVE-2015-1844 foreman: API not scoping resources to taxonomies
CVE-2015-1844 foreman: API not scoping resources to taxonomies
It was discovered that in Foreman API it's possible to retrieve any organization information, if the organization is not explicitely set in the API request.
The fix should make sure that if user does not specify an org explicitly - he's scoped to his orgs only.
Initially reported in Foreman public mailing list:
https://groups.google.com/forum/#!topic/foreman-users/qAGZh5n6n6M
Discussion:
Upstream bug report: http://projects.theforeman.org/issues/9947
---
Pull request:
https://github.com/theforeman/foreman/pull/2273
---
This issue has been addressed in the following products:
Red Hat Satellite 6.1
Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591
---
This issue has been addressed in the following pr
http://projects.theforeman.org/issues/9947https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://github.com/theforeman/foreman/pull/2273https://groups.google.com/forum/#%21topic/foreman-announce/37KYWhIk4FYhttps://groups.google.com/forum/#%21topic/foreman-users/qAGZh5n6n6Mhttp://projects.theforeman.org/issues/9947https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://github.com/theforeman/foreman/pull/2273https://groups.google.com/forum/#%21topic/foreman-announce/37KYWhIk4FYhttps://groups.google.com/forum/#%21topic/foreman-users/qAGZh5n6n6M
2015-08-14
Published