CVE-2016-7078

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
Configurations

Configuration 1 (hide)

cpe:2.3:a:theforeman:foreman:1.15.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-09-10 15:29

Updated : 2024-02-04 20:03


NVD link : CVE-2016-7078

Mitre link : CVE-2016-7078

CVE.ORG link : CVE-2016-7078


JSON object : View

Products Affected

theforeman

  • foreman
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-285

Improper Authorization