CVE-2016-4451

MEDIUM

Foreman < 1.11.2 - Security Feature Bypass

Title source: rule

Description

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

References (4)

[Vendor Advisory] http://projects.theforeman.org/issues/15182

[Patch, Vendor Advisory] http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0336

[Vendor Advisory] https://theforeman.org/security.html#2016-4451

Scores

CVSS v3 5.0

EPSS 0.0014

EPSS Percentile 34.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-254

Status published

Affected Products (3)

theforeman/foreman < 1.11.2

theforeman/foreman

n/a/n/a

Timeline

Published Aug 19, 2016

Tracked Since Feb 18, 2026