Vulnerability Description
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Theforeman | Foreman | <= 1.11.2 |
Related Weaknesses (CWE)
References
- http://projects.theforeman.org/issues/15182Vendor Advisory
- http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444PatchVendor Advisory
- https://access.redhat.com/errata/RHSA-2018:0336
- https://theforeman.org/security.html#2016-4451Vendor Advisory
- http://projects.theforeman.org/issues/15182Vendor Advisory
- http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444PatchVendor Advisory
- https://access.redhat.com/errata/RHSA-2018:0336
- https://theforeman.org/security.html#2016-4451Vendor Advisory
FAQ
What is CVE-2016-4451?
CVE-2016-4451 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictio...
How severe is CVE-2016-4451?
CVE-2016-4451 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-4451?
Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman.