CVE-2016-4451

low-risk

Published 2016-08-19

The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Foreman

Affected Vendors

Theforeman

References (8)

Vendor Advisory http://projects.theforeman.org/issues/15182

Patch http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444...

https://access.redhat.com/errata/RHSA-2018:0336

Vendor Advisory https://theforeman.org/security.html#2016-4451

Vendor Advisory http://projects.theforeman.org/issues/15182

Patch http://projects.theforeman.org/projects/foreman/repository/revisions/1144040f444...

https://access.redhat.com/errata/RHSA-2018:0336

Vendor Advisory https://theforeman.org/security.html#2016-4451

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low