4.3

CVE-2016-7078

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TheforemanForeman Version1.15.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.36% 0.681
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
secalert@redhat.com 4.3 2.8 1.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

http://www.securityfocus.com/bid/96385
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
Third Party Advisory
Issue Tracking
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
Third Party Advisory
https://projects.theforeman.org/issues/16982
Vendor Advisory
https://seclists.org/oss-sec/2017/q1/470
Third Party Advisory
Mailing List
https://theforeman.org/security.html#2016-7078
Vendor Advisory