MEDIUM 4.3

GHSA-cpv6-pfq6-j2v7

katello Improper Privilege Management vulnerability

Details

A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / katello

Introduced in: 0 Fixed in: 3.17.0.rc1

Fix bundle update katello

References

https://nvd.nist.gov/vuln/detail/CVE-2017-2662 [ADVISORY]
https://github.com/Katello/katello/pull/8772 [WEB]
https://github.com/Katello/katello/commit/853260e3e9f94179d5881199e7885d1c08e600f6 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2662 [WEB]
https://github.com/Katello/katello [PACKAGE]
https://projects.theforeman.org/issues/18838 [WEB]