CVE-2016-4475
published 2016-08-19CVE-2016-4475: The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass…
PriorityP349high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
2.67%
83.9th percentile
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.11.3 | — |
| theforeman | foreman | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman: API and UI actions/URLs not limited to the orgs/locations assigned
vendor_redhat·2016-06-02·CVSS 8.8
CVE-2016-4475 [HIGH] CWE-284 foreman: API and UI actions/URLs not limited to the orgs/locations assigned
foreman: API and UI actions/URLs not limited to the orgs/locations assigned
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
It was found that the foreman API and UI actions and URLs are not properly limited to the organizations and locations they were assigned to. This could allow an attacker to view and update other organizations and locations in the system that they should not be allowed to.
Package: foreman (OpenStack Foreman) - Affected
Package: foreman (Red Hat Ceph Storage 1.3) - Will not fix
Package: foreman (Red Hat Enterprise Linux OpenStac
GHSA
GHSA-8887-4wpv-8chr: The (1) Organization and (2) Locations APIs and UIs in Foreman before 1
ghsa_unreviewed·2022-05-14
CVE-2016-4475 [HIGH] GHSA-8887-4wpv-8chr: The (1) Organization and (2) Locations APIs and UIs in Foreman before 1
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
No detection rules found.
No public exploits indexed.
http://projects.theforeman.org/issues/15268http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9http://www.securityfocus.com/bid/92125https://access.redhat.com/errata/RHBA-2016:1615https://theforeman.org/security.html#2016-4475http://projects.theforeman.org/issues/15268http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9http://www.securityfocus.com/bid/92125https://access.redhat.com/errata/RHBA-2016:1615https://theforeman.org/security.html#2016-4475
2016-08-19
Published