CVE-2015-1844 — Missing Authorization in Foreman

CWE-264 CWE-862 — Missing Authorization CWE-201 — Sensitive Info Insertion into Sent Data20 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 50.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman

Timeline

PublishedAug 14

Latest updateMay 14

Description

Foreman before 1.7.5 allows remote authenticated users to bypass organization and location restrictions by connecting through the REST API.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages1 packages

▶NVDtheforeman/foreman1.7.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-r6gp-x66j-mhw7: Foreman before 1↗2022-05-14

▶

CVEList

CVE-2015-1844: Foreman before 1↗2015-08-14

▶

📋Vendor Advisories

Red Hat

foreman: API not scoping resources to taxonomies↗2015-03-29

▶

💬Community

Bugzilla

CVE-2015-8934 libarchive: out of bounds heap read in RAR parser↗2016-06-23

▶

Bugzilla

CVE-2015-8930 libarchive: Endless loop in ISO parser↗2016-06-23

▶

Bugzilla

CVE-2015-8923 libarchive: Unclear crashes in ZIP parser↗2016-06-22

▶

Bugzilla

CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser↗2016-06-22

▶

Bugzilla

CVE-2015-8922 libarchive: NULL pointer access in 7z parser↗2016-06-21

▶