CVE-2016-4475

The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.

Published: Aug 19, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-4475
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-254

Affected Software
References

Software	From	Fixed in
theforeman / foreman	1.12.0	1.12.0.x
theforeman / foreman	-	1.11.3.x

http://projects.theforeman.org/issues/15268
http://projects.theforeman.org/projects/foreman/repository/revisions/a30ab44ed6f140f1791afc51a1e448afc2ff28f9
http://www.securityfocus.com/bid/92125
https://access.redhat.com/errata/RHBA-2016:1615
https://theforeman.org/security.html#2016-4475

Vulnerability Database

CVE-2016-4475

Deep Security Visibility Without the Complexity