First published: Tue Jul 19 2022(Updated: )
User with 'change user' permissions can change any parameter from a superuser via API but none via UI. This user can even set the 'is_superuser' flag to false and thus remove superuser privileges. HTTP request: PATCH <a href="http://localhost:5001/api/automation-hub/_ui/v1/users/1/">http://localhost:5001/api/automation-hub/_ui/v1/users/1/</a> {"username": "admin", "is_superuser": false} 200 OK
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Ansible Automation Platform | =2.1 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Ansible Automation Platform | =2.2 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Ansible Automation Platform | =2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.