CVE-2016-7078

foreman before version 1.15.0 is vulnerable to an information leak through organizations and locations feature. When a user is assigned no organizations/locations, they are able to view all resources instead of none (mirroring an administrator's view). The user's actions are still limited by their assigned permissions, e.g. to control viewing, editing and deletion.

Published: Sep 10, 2018
Updated: Apr 13, 2023
CVE: CVE-2016-7078
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
theforeman / foreman	1.15.0	1.15.0.x

http://www.securityfocus.com/bid/96385
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078
https://github.com/theforeman/foreman/commit/5f606e11cf39719bf62f8b1f3396861b32387905
https://projects.theforeman.org/issues/16982
https://seclists.org/oss-sec/2017/q1/470
https://theforeman.org/security.html#2016-7078

Vulnerability Database

289,599

CVE-2016-7078