CVE-2016-2100 — Improper Access Control in Foreman

CWE-284 — Improper Access Control CWE-200 — Sensitive Information Exposure CWE-78 — OS Command Injection CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 57.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman

Timeline

PublishedMay 20

Latest updateMay 14

Description

Foreman before 1.10.3 and 1.11.0 before 1.11.0-RC2 allow remote authenticated users to read, modify, or delete private bookmarks by leveraging the (1) edit_bookmarks or (2) destroy_bookmarks permission.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶NVDtheforeman/foreman1.10.2+1

🔴Vulnerability Details

GHSA

GHSA-96w5-w762-fpvr: Foreman before 1↗2022-05-14

▶

CVEList

CVE-2016-2100: Foreman before 1↗2016-05-20

▶

📋Vendor Advisories

Cisco

Cisco Cloud Services Platform 2100 Command Injection Vulnerability↗2016-09-21

▶

Cisco

Cisco Cloud Services Platform 2100 Remote Command Execution Vulnerability↗2016-09-21

▶

Red Hat

foreman: Unprivileged user can access private bookmarks of other users↗2015-02-13

▶

💬Community

Bugzilla

CVE-2016-2100 foreman: Unprivileged user can access private bookmarks of other users↗2016-02-22

▶