oss-sec mailing list archives
CVE-2016-7077: information disclosure from association lists shown without authorization
From: Marek Hulán <mhulan () redhat com>
Date: Wed, 09 Nov 2016 13:20:55 +0100
CVE-2016-7077: information disclosure from association lists shown without authorization Lists of associated resources, such as operating systems associated to a new architecture, are not restricted to listing resources that the user is authorized to view, when rendering with fewer than six items. The list will show all possible associated resources, disclosing their names. Affects Foreman 1.1 and higher, but was first mitigated against in Foreman 1.9.0 for some cases Patch available at https://github.com/theforeman/foreman/pull/3955 Fix will be released in Foreman 1.14 (to be released) For more information please see Redmine issue http://projects.theforeman.org/issues/16971 -- Marek
Current thread:
- CVE-2016-7077: information disclosure from association lists shown without authorization Marek Hulán (Nov 09)