CVE-2015-5233

Published: Apr 11, 2016Modified: May 6, 2026

4.2

Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 1.6 / Impact: 2.5

Source: NVD

Description

Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs.

Affected (3)

Products: Theforeman: Foreman · Redhat: Satellite

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Theforeman Foreman	Up to 1.8.3
Theforeman Foreman	Version 1.9.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Satellite	Version 6.1

Related CWEs

References (6)

http://projects.theforeman.org/issues/11579

Source: secalert@redhat.com

PatchVendor Advisory

http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization

Source: secalert@redhat.com

Vendor Advisory

https://access.redhat.com/errata/RHSA-2015:2622

Source: secalert@redhat.com

http://projects.theforeman.org/issues/11579

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://theforeman.org/security.html#CVE-2015-5233:reportsshow/destroynotrestrictedbyhostauthorization

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://access.redhat.com/errata/RHSA-2015:2622

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.