oss-sec mailing list archives
CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+
From: Marek Hulán <mhulan () redhat com>
Date: Fri, 02 Jun 2017 09:16:06 +0200
CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+ It has been found that user with user management permission who is assigned to some organization(s) can do all operations granted by these permissions on all administrator user objects. Affects Foreman 1.5 and higher. Patch available at https://github.com/theforeman/foreman/pull/4545 Fix will be released in Foreman 1.15.1 (to be released) For more information please see the Redmine issue http:// projects.theforeman.org/issues/19612 -- Marek
Current thread:
- CVE-2017-7505: User scoped in organization with permissions for user management can manage administrators that are not assigned to any organization on Foreman 1.5+ Marek Hulán (Jun 02)