CVE-2016-4451

Impact:
Moderate
Public Date:
2016-05-25
CWE:
CWE-284
Bugzilla:
1339889: CVE-2016-4451 foreman: privilege escalation through Organization and Locations API
It was found that Satellite 6 did not properly enforce access controls on certain resources. An attacker, with access to the API and knowledge of the ID name, can potentially access other resources in other organizations.

Find out more about CVE-2016-4451 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.9
Base Metrics AV:N/AC:M/Au:S/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality None
Integrity Impact High
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite 6.3 (foreman) RHSA-2018:0336 2018-02-21
Red Hat Satellite Capsule 6.3 (foreman) RHSA-2018:0336 2018-02-21

Affected Packages State

Platform Package State
Red Hat Satellite 6 foreman Will not fix
Red Hat Ceph Storage 1.3 foreman Will not fix
OpenStack 6 Installer for RHEL 7 foreman Will not fix

Acknowledgements

This issue was discovered by Marek Hulán (Red Hat).

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.