http://bugzilla.opensuse.org/show_bug.cgi?id=989533 Bug ID: 989533 Summary: VUL-1: CVE-2016-5390: rubygem-foreman: Access to API routes beneath hosts is not filtered for users with view_host permission Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: 3rd party software Assignee: coolo@suse.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: aduffeck@suse.com, aspiers@suse.com, dmacvicar@suse.com, fcastelli@suse.com, hvogel@suse.com, jmassaguerpla@suse.com, jreidinger@suse.com, mseidl@suse.com, mvidner@suse.com, prusnak@opensuse.org, rsalevsky@suse.com, schubi@suse.com, tboerger@suse.com, tserong@suse.com Found By: Security Response Team Blocker: --- Courtesy bug against devel:languages:ruby:extensions/rubygem-foreman from the SUSE Security team: http://projects.theforeman.org/issues/15653 Non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host. The filter is only correctly used when accessing the main host details (/api/v2/hosts/secrethost). Access to the "nested" routes, which includes interfaces, reports, parameters, audits, facts and Puppet classes, is not authorized beyond requiring any view_hosts permission. Affects Foreman 1.10.0 and higher. https://github.com/theforeman/foreman/pull/3644 References: https://bugzilla.redhat.com/show_bug.cgi?id=1355728 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5390 -- You are receiving this mail because: You are on the CC list for the bug.