CVE-2016-7078

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned _no_ organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
redhatCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
theforemanforeman
1.15.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/96385
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
https://projects.theforeman.org/issues/16982
https://seclists.org/oss-sec/2017/q1/470
https://theforeman.org/security.html#2016-7078
http://www.securityfocus.com/bid/96385
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
https://projects.theforeman.org/issues/16982
https://seclists.org/oss-sec/2017/q1/470
https://theforeman.org/security.html#2016-7078