CVE-2017-7505Incorrect Authorization in Foreman

CWE-863Incorrect AuthorizationCWE-269Improper Privilege Management5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 46.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ForemanTheforeman Foreman
Timeline
PublishedMay 26
Latest updateMay 13

Description

Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5foreman/foreman1.5 and higher
NVDtheforeman/foreman47 versions+46

Patches

Patch: projects.theforeman.orgPatch: github.comPatch: projects.theforeman.org

🔴Vulnerability Details

2
GHSA
GHSA-r979-3cmv-8p2v: Foreman since version 12022-05-13
CVEList
CVE-2017-7505: Foreman since version 12017-05-26

📋Vendor Advisories

1
Red Hat
foreman: Users with user management permission assigned to organization can manage user objects outside of the organization2017-05-22

💬Community

1
Bugzilla
CVE-2017-7505 foreman: Users with user management permission assigned to organization can manage user objects outside of the organization2017-05-22
CVE-2017-7505 — Incorrect Authorization in Foreman | cvebase