CVE-2016-7078
published 2018-09-10CVE-2016-7078: foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_…
PriorityP420medium4.3CVSS 3.0
AVNACLPRLUINSUCLINAN
EPSS
1.36%
68.3th percentile
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foreman | foreman | — | — |
| theforeman | foreman | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman: Information leak through organizations and locations feature
vendor_redhat·2016-10-18·CVSS 4.3
CVE-2016-7078 [MEDIUM] CWE-285 foreman: Information leak through organizations and locations feature
foreman: Information leak through organizations and locations feature
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Package: foreman (OpenStack Foreman) - Will not fix
Package: foreman (Red Hat Ceph Storage 1.3) - Will not fix
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Will not fix
GHSA
GHSA-c2qx-mg67-hwxr: foreman before version 1
ghsa_unreviewed·2022-05-13
CVE-2016-7078 [MEDIUM] CWE-200 GHSA-c2qx-mg67-hwxr: foreman before version 1
foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/96385https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905https://projects.theforeman.org/issues/16982https://seclists.org/oss-sec/2017/q1/470https://theforeman.org/security.html#2016-7078http://www.securityfocus.com/bid/96385https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905https://projects.theforeman.org/issues/16982https://seclists.org/oss-sec/2017/q1/470https://theforeman.org/security.html#2016-7078
2018-09-10
Published