CVE-2013-2113

The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

CVSS v2.0 6.0 MEDIUM

6.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://projects.theforeman.org/issues/2630
http://rhn.redhat.com/errata/RHSA-2013-0995.html
https://bugzilla.redhat.com/show_bug.cgi?id=968166
https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:openstack:3.0:::::::*
	cpe:2.3:a:theforeman:foreman::rc1::::::*
	cpe:2.3:a:theforeman:foreman:1.1:::::::*

History

No history.

Information

Published : 2013-07-31 13:20

Updated : 2024-02-04 18:16

NVD link : CVE-2013-2113

Mitre link : CVE-2013-2113

CVE.ORG link : CVE-2013-2113

JSON object : View

Products Affected

redhat

openstack

theforeman

foreman

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2013-2113", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-07-31T13:20:25.083", "references": [{"url": "http://projects.theforeman.org/issues/2630", "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0995.html", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=968166", "source": "secalert@redhat.com"}, {"url": "https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role."}, {"lang": "es", "value": "El m\u00e9todo \"create\" en app/controllers/users_controller.rb en Foreman anterior a 1.2.0-RC2, permite a usuarios autenticados remotamente con permisos para crear o editar otros usuarios elevar sus privilegios mediante (1) modificando el flag de admin o (2) asignando un rol arbitrario."}], "lastModified": "2023-02-13T04:42:52.227", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6533B15B-F748-4A5D-AB86-31D38DFAE60F"}, {"criteria": "cpe:2.3:a:theforeman:foreman:*:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "235E1F99-68CF-45D8-9842-98C2AC0EECC0", "versionEndIncluding": "1.2.0"}, {"criteria": "cpe:2.3:a:theforeman:foreman:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B33A0A48-7B34-465B-BC10-A9D1C4FEDA9F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}