CVE-2015-3163

First published: Fri Apr 24 2015(Updated: )

Description of problem: The admin pages for key types and power types do not perform any access checks. An authenticated user can visit these URLs directly (they do not appear in the menu for non-admins) and modify power types and key types. Version-Release number of selected component (if applicable): probably all Beaker versions How reproducible: easily Steps to Reproduce: 1. Go to $BEAKER/powertypes/ without logging in 2. Create or remove power types 3. Go to $BEAKER/keytypes/ without logging in 4. Create or remove key types Actual results: All operations are allowed. Expected results: We can probably allow anonymous users to list the key types and power types as this would be generally useful (and is not sensitive information). However modifications should not be permitted except by admins.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• agent/softwarecombine
• agent/first-publish-date
• collector/mitre-cve
• source/MITRE
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2015-3163
• agent/remedy
• agent/weakness
• agent/severity
• agent/last-modified-date
• agent/references
• agent/author
• agent/description
• agent/event
• agent/tags
• agent/trending
• vendor/redhat
• canonical/redhat beaker
• version/redhat beaker/19.3
• version/redhat beaker/20.0
• version/redhat beaker/20.0-rc1