Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-4451

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

Published

2016-08-19T21:59:08.337

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

6.8

Impact Score

6.4

Weaknesses

Type: Primary
CWE-254

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	theforeman	foreman	≤ 1.11.2	Yes
Application	theforeman	foreman	1.12.0	Yes

References

http://projects.theforeman.org/issues/15182 Vendor Advisory ([email protected])
http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c Patch, Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:0336 ([email protected])
https://theforeman.org/security.html#2016-4451 Vendor Advisory ([email protected])
http://projects.theforeman.org/issues/15182 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0336 (af854a3a-2127-422b-91ae-364da2661108)
https://theforeman.org/security.html#2016-4451 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)