Issue #194: CVE-2015-5301: missing user authorization check when deleting a service provider - ipsilon

ipsilon

#194 CVE-2015-5301: missing user authorization check when deleting a service provider

Closed: Fixed None Opened 7 years ago by puiterwijk.

It was found that Ipsilon does not check whether a user is authorized to delete a service provider. This makes it possible for any authenticated user to delete any service provider, causing a denial of service.

The vulnerable code is at:

https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/saml2/admin.py#_309

puiterwijk commented 7 years ago

This has been fixed with 9dec97c

Releases 1.0.2 and 1.1.1 have been released to resolve this.

keywords: => security
milestone: => 1.2
resolution: => fixed
status: new => closed

puiterwijk commented 7 years ago

Fields changed

type: defect => Security

Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk
- Issue set to the milestone: 1.2
- Issue tagged with: security

5 years ago

Metadata

Assignee

puiterwijk

Tags

Blocking

None

Depending on

None

Priority

Major

Milestone

1.2

rhbz

CVE-2015-5301

design_link

None

type

Security

component

SAML

version

None

sensitive

patch_available

ipsilon

Source Code

#194 CVE-2015-5301: missing user authorization check when deleting a service provider Closed: Fixed None Opened 7 years ago by puiterwijk.

Metadata

security

#194 CVE-2015-5301: missing user authorization check when deleting a service provider

Closed: Fixed None Opened 7 years ago by puiterwijk.