CVE-2016-4995

MEDIUM

Foreman < 1.11.4 - Information Disclosure

Title source: rule

Description

Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname.

References (4)

[Patch, Vendor Advisory] http://projects.theforeman.org/issues/15490

[Patch, Vendor Advisory] http://projects.theforeman.org/projects/foreman/repository/revisions/c3c186de12be15e55d9582e54659f765304a1073

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:0336

[Vendor Advisory] https://theforeman.org/security.html#2016-4995

Scores

CVSS v3 5.3

EPSS 0.0030

EPSS Percentile 52.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (2)

theforeman/foreman < 1.11.4

n/a/n/a

Timeline

Published Aug 19, 2016

Tracked Since Feb 18, 2026