Description
A flaw was found in ManageIQ where sensitive data would have been possibly leaked for other existing roles. An attacker with low privilege could make use of EVM-Admin API if certain criteria is met since there was no privilege check on feature.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/CVE-2020-10779
Details
When selecting a tree node or switching between accordions, ManageIQ was not doing any privilege check. An underprivileged user could modify query params with the identifiers of other trees, and thus access trees they should not have been able to.
Fixed in ivanchuk-7, jansa-1-rc2, master,
Description
A flaw was found in ManageIQ where sensitive data would have been possibly leaked for other existing roles. An attacker with low privilege could make use of EVM-Admin API if certain criteria is met since there was no privilege check on feature.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/CVE-2020-10779
Details
When selecting a tree node or switching between accordions, ManageIQ was not doing any privilege check. An underprivileged user could modify query params with the identifiers of other trees, and thus access trees they should not have been able to.
Fixed in ivanchuk-7, jansa-1-rc2, master,