CVE-2016-7078

CWE-285 CWE-200 — Information Exposure5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 45.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foreman Foreman Theforeman Foreman

Timeline

PublishedSep 10

Latest updateMay 13

Description

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5foreman/foreman1.15.0

▶NVDtheforeman/foreman1.15.0

🔴Vulnerability Details

GHSA

GHSA-c2qx-mg67-hwxr: foreman before version 1↗2022-05-13

▶

CVEList

CVE-2016-7078: foreman before version 1↗2018-09-10

▶

📋Vendor Advisories

Red Hat

foreman: Information leak through organizations and locations feature↗2016-10-18

▶

💬Community

Bugzilla

CVE-2016-7078 foreman: Information leak through organizations and locations feature↗2016-10-18

▶