CVE-2016-5390
published 2016-08-19CVE-2016-5390: Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network…
PriorityP430medium5.3CVSS 3.0
AVNACHPRLUINSUCHINAN
EPSS
1.31%
67.0th percentile
Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "hosts," as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | >= 1.11.0 < 1.11.4 | 1.11.4 |
| theforeman | foreman | >= 1.12.0 < 1.12.1 | 1.12.1 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gh7p-2f9h-jrgc: Foreman before 1
ghsa_unreviewed·2022-05-14
CVE-2016-5390 [MEDIUM] CWE-200 GHSA-gh7p-2f9h-jrgc: Foreman before 1
Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "hosts," as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.
Red Hat
foreman: Access to API routes beneath hosts is not filtered for users with view_host permission
vendor_redhat·2016-07-12·CVSS 5.3
CVE-2016-5390 [MEDIUM] CWE-285 foreman: Access to API routes beneath hosts is not filtered for users with view_host permission
foreman: Access to API routes beneath hosts is not filtered for users with view_host permission
Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "hosts," as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.
Package: foreman (OpenStack Foreman) - Not affected
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Not affected
Package: foreman (Red Hat Satellite 6) - Not affected
No detection rules found.
No public exploits indexed.
http://projects.theforeman.org/issues/15653http://www.securityfocus.com/bid/91770https://bugzilla.redhat.com/show_bug.cgi?id=1355728https://theforeman.org/security.html#2016-5390http://projects.theforeman.org/issues/15653http://www.securityfocus.com/bid/91770https://bugzilla.redhat.com/show_bug.cgi?id=1355728https://theforeman.org/security.html#2016-5390
2016-08-19
Published