Information Leak in Foreman by The Foreman Project
CVE-2016-7078

4.3MEDIUM

Key Information:

Vendor: Foreman
Status: Foreman
Vendor: CVE Published:; 10 September 2018

What is CVE-2016-7078?

An information leak vulnerability exists in Foreman versions prior to 1.15.0 that compromises data confidentiality. When users are assigned no organizations or locations, they gain unintended visibility into all resources. This behavior mirrors the access level of an administrator, leading to exposure of sensitive data. However, actions performed by these users remain restricted by their assigned permissions, limiting their ability to manipulate the resources. Organizations using Foreman should ensure they upgrade to the latest version to mitigate this risk.

Affected Version(s)

foreman 1.15.0

References

https://github.com/theforeman/foreman/commit/5f606e11cf39...

x_refsource_CONFIRM

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7078

x_refsource_CONFIRM

http://www.securityfocus.com/bid/96385

vdb-entryx_refsource_BID

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 10, 2018
Vulnerability Reserved
Aug 23, 2016

CVE-2016-7078 Data

JSON