CVE-2016-4475
HIGH severity · CVSS 8.8 · CWE-254
8.8CVSS HIGH
Summary
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)3%
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://projects.theforeman.org/issues/15268 ↗
Additional information
- NVD record
- http://projects.theforeman.org/issues/15268Patch
- http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9Patch
- https://theforeman.org/security.html#2016-4475Advisory
- http://www.securityfocus.com/bid/92125Advisory
- https://access.redhat.com/errata/RHBA-2016:1615