Description
Various role-based privilege escalation flaws were found in ManageIQ, similar to the one found in GHSA-h59j-h2m8-8rf2. An unprivileged user can perform actions restricted only to system administrator.
Statement
In the ManageIQ UI classic code, we have implicit feature checks, by default, for controller actions. For example, for a request that hits controller#action, if there's a feature named controller_action we automatically check if the given user has access to this feature. If the feature doesn't exist, we let the user go through, as many controller actions are not dangerous and do not require a corresponding feature. Unfortunately, this opens the possibility of privilege escalation for routes where the corresponding feature does not match the controller_action format, and where the author forgets to put an explicit check.
Future Prevention
In order to prevent these kinds of errors occurring in the future we have created a set of specs that verify that every exposed route is protected with proper role-based access control. When new routes are created in pull requests, these specs will fail if the implicit feature doesn't exist and the author has not done an explicit feature check.
Mitigation
We recommend upgrading to secured released versions. There is no other workaround available.
https://access.redhat.com/security/cve/cve-2020-25716
Fixed in ivanchuk-8, jansa-3, kasparov-1-beta1
skateman Analyst
Description
Various role-based privilege escalation flaws were found in ManageIQ, similar to the one found in GHSA-h59j-h2m8-8rf2. An unprivileged user can perform actions restricted only to system administrator.
Statement
In the ManageIQ UI classic code, we have implicit feature checks, by default, for controller actions. For example, for a request that hits
controller#action, if there's a feature namedcontroller_actionwe automatically check if the given user has access to this feature. If the feature doesn't exist, we let the user go through, as many controller actions are not dangerous and do not require a corresponding feature. Unfortunately, this opens the possibility of privilege escalation for routes where the corresponding feature does not match thecontroller_actionformat, and where the author forgets to put an explicit check.Future Prevention
In order to prevent these kinds of errors occurring in the future we have created a set of specs that verify that every exposed route is protected with proper role-based access control. When new routes are created in pull requests, these specs will fail if the implicit feature doesn't exist and the author has not done an explicit feature check.
Mitigation
We recommend upgrading to secured released versions. There is no other workaround available.
https://access.redhat.com/security/cve/cve-2020-25716
Fixed in ivanchuk-8, jansa-3, kasparov-1-beta1