CVE-2016-4475
high
CVSS v3
8.8
CVSS v2
6.5
VIR risk
8.8
Description
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://theforeman.org/security.html#2016-4475
Vendor advisory: secalert@redhat.com — http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
Vendor advisory: secalert@redhat.com — http://projects.theforeman.org/issues/15268
References
- http://projects.theforeman.org/issues/15268
- http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
- http://www.securityfocus.com/bid/92125
- https://access.redhat.com/errata/RHBA-2016:1615
- https://theforeman.org/security.html#2016-4475
- http://projects.theforeman.org/issues/15268
- http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
- http://www.securityfocus.com/bid/92125
- https://access.redhat.com/errata/RHBA-2016:1615
- https://theforeman.org/security.html#2016-4475
CWEs
CWE-254
Verify integrity in audit chain (admin only). AS-IS.