Bug #13828
closed
CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks
Added by Ohad Levy about 8 years ago.
Updated almost 6 years ago.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1192414
Description of problem:
Unprivileged user can see Administer -> Bookmarks
How reproducible:
always
Steps to Reproduce:
1. Login with admin user
2. Switch to "Any context" and create user without any location, org and role
3. Logout with admin user and login with newly created user
Actual results:
The unprivileged user can access Administer -> Bookmarks. He can not get details about these bookmarks, details about these bookmarks, but see them.
Files
I would expect bookmark listing to display my_bookmarks by default, similar to how the bookmark dropdown works.
- Description updated (diff)
- Subject changed from unprivileged user can see Administer -> Bookmarks to unprivileged user can see private bookmarks in Administer -> Bookmarks
- Category set to Security
- Assignee deleted (
Tom Caspy)
There are further related issues with bookmarks, mostly coming from resource_base not being adequately defined:
- UI edit action can render a form for a private bookmark by ID, if the user has edit_permission.
- API index and get responses also shows private bookmarks from other users
update and destroy actions of both the UI and API are not scoped to bookmarks that the user should have access to update, so they can supply an ID for a private bookmark of another user, the resource is found and updated. User needs edit/destroy_bookmarks permission for this.
I've requested a CVE for this issue, we'll address it in the next release(s) following a patch being written.
- Subject changed from unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks
CVE-2015-7582 has been assigned. Please include the number in the commit message.
tried reproducing with unpriviliged user, failed.
but I can see all the hosts in the system, can't edit them. is that supposed to happen?
Depends on the permissions assigned to your "Anonymous" role, which is a minimum set applied to all users.
The default changed some time ago and view_hosts was removed. view_bookmarks is assigned by default, so ensure yours matches the default seed (db/seeds.d/03-roles.rb).
- Status changed from New to Ready For Testing
- Assignee set to Tom Caspy
- Pull request https://github.com/theforeman/foreman/pull/3217 added
- Subject changed from CVE-2015-7582 - unprivileged user can see private bookmarks in Administer -> Bookmarks to CVE-2016-2100 - unprivileged user can see private bookmarks in Administer -> Bookmarks
The CVE identifier should have been assigned from a 2016 block, so it's now CVE-2016-2100.
- Status changed from Ready For Testing to New
- Assignee deleted (
Tom Caspy)
- Pull request deleted (
https://github.com/theforeman/foreman/pull/3217)
- Status changed from New to Ready For Testing
- Assignee set to Tom Caspy
- Pull request https://github.com/theforeman/foreman/pull/3221 added
- translation missing: en.field_release set to 145
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by