CVE-2013-2113

The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role.

CVSS v2.0 6.0 MEDIUM

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://projects.theforeman.org/issues/2630
http://rhn.redhat.com/errata/RHSA-2013-0995.html
https://bugzilla.redhat.com/show_bug.cgi?id=968166
https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:theforeman:foreman::rc1::::::*
	cpe:2.3:a:redhat:openstack:3.0:::::::*
	cpe:2.3:a:theforeman:foreman:1.1:::::::*

Information

Published : 2013-07-31 06:20

Updated : 2023-02-12 20:42

NVD link : CVE-2013-2113

Mitre link : CVE-2013-2113

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

theforeman

foreman

redhat

openstack

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://projects.theforeman.org/issues/2630", "name": "http://projects.theforeman.org/issues/2630", "tags": [], "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0995.html", "name": "RHSA-2013:0995", "tags": [], "refsource": "REDHAT"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=968166", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=968166", "tags": [], "refsource": "CONFIRM"}, {"url": "https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU", "name": "https://groups.google.com/forum/#%21topic/foreman-users/6WpO_3ugiXU", "tags": [], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The create method in app/controllers/users_controller.rb in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create or edit other users to gain privileges by (1) changing the admin flag or (2) assigning an arbitrary role."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-2113", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-07-31T13:20Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:theforeman:foreman:*:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.2.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:theforeman:foreman:1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T04:42Z"}

6.0 /10