Bugzilla – Bug 989533
VUL-1: CVE-2016-5390: rubygem-foreman: Access to API routes beneath hosts is not filtered for users with view_host permission
Last modified: 2017-05-23 09:11:15 UTC
Courtesy bug against devel:languages:ruby:extensions/rubygem-foreman from the SUSE Security team: http://projects.theforeman.org/issues/15653 Non-admin users with the view_hosts permission containing a filter are able to access API routes beneath "hosts" such as GET /api/v2/hosts/secrethost/interfaces without the filter being taken into account. This allows users to access network interface details (including BMC login details) for any host. The filter is only correctly used when accessing the main host details (/api/v2/hosts/secrethost). Access to the "nested" routes, which includes interfaces, reports, parameters, audits, facts and Puppet classes, is not authorized beyond requiring any view_hosts permission. Affects Foreman 1.10.0 and higher. https://github.com/theforeman/foreman/pull/3644 References: https://bugzilla.redhat.com/show_bug.cgi?id=1355728 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5390
bugbot adjusting priority
the gem is about http://github.com/ddollar/foreman, the CVE about https://github.com/theforeman/foreman - and we have 0.84 of the gem. So technically we are not vulnerable :)