CVE-2017-7505

Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organization(s) can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global admin accounts including changing their passwords.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://projects.theforeman.org/issues/19612	Issue Tracking Patch Vendor Advisory
http://www.securityfocus.com/bid/98607	Third Party Advisory VDB Entry
https://github.com/theforeman/foreman/pull/4545	Patch Vendor Advisory
http://projects.theforeman.org/issues/19612	Issue Tracking Patch Vendor Advisory
http://www.securityfocus.com/bid/98607	Third Party Advisory VDB Entry
https://github.com/theforeman/foreman/pull/4545	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:theforeman:foreman:1.5.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.5.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.5.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.5.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.5.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.5.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.6.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.6.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.6.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.6.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.6.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.7.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.7.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.4:::::::*
	cpe:2.3:a:theforeman:foreman:1.7.5:::::::*
	cpe:2.3:a:theforeman:foreman:1.8.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.8.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.8.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.8.0:rc3::::::
	cpe:2.3:a:theforeman:foreman:1.8.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.8.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.8.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.8.4:::::::*
	cpe:2.3:a:theforeman:foreman:1.9.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.9.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.9.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.9.0:rc3::::::
	cpe:2.3:a:theforeman:foreman:1.9.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.9.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.9.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.10.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.10.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.10.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.10.0:rc3::::::
	cpe:2.3:a:theforeman:foreman:1.10.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.10.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.10.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.10.4:::::::*
	cpe:2.3:a:theforeman:foreman:1.11.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.11.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.11.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.11.0:rc3::::::
	cpe:2.3:a:theforeman:foreman:1.11.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.11.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.11.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.11.4:::::::*
	cpe:2.3:a:theforeman:foreman:1.12.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.12.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.12.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.12.0:rc3::::::
	cpe:2.3:a:theforeman:foreman:1.12.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.12.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.12.3:::::::*
	cpe:2.3:a:theforeman:foreman:1.12.4:::::::*
	cpe:2.3:a:theforeman:foreman:1.13.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.13.0:rc1::::::
	cpe:2.3:a:theforeman:foreman:1.13.0:rc2::::::
	cpe:2.3:a:theforeman:foreman:1.13.1:::::::*
	cpe:2.3:a:theforeman:foreman:1.13.2:::::::*
	cpe:2.3:a:theforeman:foreman:1.13.3:::::::*
cpe:2.3:a:theforeman:foreman:1.13.4:::::::*
cpe:2.3:a:theforeman:foreman:1.14.0:::::::*
cpe:2.3:a:theforeman:foreman:1.14.0:rc1::::::
cpe:2.3:a:theforeman:foreman:1.14.0:rc2::::::
cpe:2.3:a:theforeman:foreman:1.14.0:rc3::::::
cpe:2.3:a:theforeman:foreman:1.14.1:::::::*
cpe:2.3:a:theforeman:foreman:1.14.2:::::::*
cpe:2.3:a:theforeman:foreman:1.14.3:::::::*
cpe:2.3:a:theforeman:foreman:1.15.0:::::::*
cpe:2.3:a:theforeman:foreman:1.15.0:rc1::::::
cpe:2.3:a:theforeman:foreman:1.15.0:rc2::::::

History

21 Nov 2024, 03:32

Type	Values Removed	Values Added
References	~~() http://projects.theforeman.org/issues/19612 - Issue Tracking, Patch, Vendor Advisory~~	() http://projects.theforeman.org/issues/19612 - Issue Tracking, Patch, Vendor Advisory
References	~~() http://www.securityfocus.com/bid/98607 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/98607 - Third Party Advisory, VDB Entry
References	~~() https://github.com/theforeman/foreman/pull/4545 - Patch, Vendor Advisory~~	() https://github.com/theforeman/foreman/pull/4545 - Patch, Vendor Advisory

Information

Published : 2017-05-26 16:29

Updated : 2024-11-21 03:32

NVD link : CVE-2017-7505

Mitre link : CVE-2017-7505

CVE.ORG link : CVE-2017-7505

JSON object : View

Products Affected

theforeman

foreman

CWE

CWE-863

Incorrect Authorization

CWE-269

Improper Privilege Management

8.8 /10