Headline
CVE-2014-0192: Bug #5436: CVE-2014-0192 - provisioning templates are world accessible
Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to “spoof.”
CVE-2014-0192 - provisioning templates are world accessible
Category:
Unattended installations
Description
since 1e0fd283 it is possible to override spoof by providing a hostname parameters.
this would allow to retrieve any template of any host bypassing authentication.
Associated revisions
History
#1 Updated by Ohad Levy almost 9 years ago
a simple example using curl:
curl http://0.0.0.0:3000/unattended/provision\?hostname\=abc
#2 Updated by Dominic Cleal almost 9 years ago
Hm, I think I see from the code - we’re only applying the authorisation filters when the spoof parameter isn’t used, in the assumption that this is the only parameter needing protection. Bit messy.
This has probably been in since 5b70f0e0 / #359, so Foreman 1.4.0 and above are affected.
#6 Updated by Ohad Levy almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
#7 Updated by Dominic Cleal almost 9 years ago
- Subject changed from provisioning templates are world accessible to CVE-2014-0192 - provisioning templates are world accessible
#8 Updated by Dominic Cleal almost 9 years ago
- Legacy Backlogs Release (now unused) changed from 4 to 17
Fix available in 1.5.0-RC2 and above.
Also available in: Atom PDF
Related news
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.