Vulnerability Details : CVE-2016-4451
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
Products affected by CVE-2016-4451
- cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*
- cpe:2.3:a:theforeman:foreman:1.12.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4451
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4451
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
|
5.0
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
1.6
|
3.4
|
NIST |
CWE ids for CVE-2016-4451
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4451
-
https://theforeman.org/security.html#2016-4451
Foreman :: SecurityVendor Advisory
-
http://projects.theforeman.org/issues/15182
Bug #15182: CVE-2016-4451 - Privileges escalation through Organization and Locations API - ForemanVendor Advisory
-
http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444b4bf4aae81940a150b26b23b4623c
Revision 1144040f - Fixes #15182 - limit user taxonomies in API (CVE-2016-4451) - ForemanPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:0336
RHSA-2018:0336 - Security Advisory - Red Hat Customer Portal
Jump to