QwikSec

Security Database

CVE

CWE

Training

CVE-2016-7078

Published: Sep 10, 2018

Modified: Aug 6, 2024

PUBLISHED

CVSS v3.0

4.3

MEDIUM

Description

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

Vendor	Product	Versions
Foreman	foreman	affected `1.15.0`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905

x_refsource_CONFIRM

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

https://theforeman.org/security.html#2016-7078

x_refsource_CONFIRM

https://projects.theforeman.org/issues/16982

x_refsource_CONFIRM

[oss-security] 20170222 CVE-2016-7078: Foreman organization/location authorization vulnerability

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.