{"id":"CVE-2016-5390","details":"Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath \"hosts,\" as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.","modified":"2026-03-14T09:20:00.060737Z","published":"2016-08-19T21:59:11.387Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91770"},{"type":"ADVISORY","url":"https://theforeman.org/security.html#2016-5390"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1355728"},{"type":"FIX","url":"http://projects.theforeman.org/issues/15653"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theforeman/smart-proxy","events":[{"introduced":"27b23f5ab93b02faf66bb93579b79d52bcc4847f"},{"fixed":"4198ca38d7b8eb6695a61023a9fccf97fb59be86"},{"introduced":"fb319164de15280fb59bc25448d7f00d86703d15"},{"fixed":"4252c1083d5e16c375cd450abdf6fd24ac952048"}],"database_specific":{"versions":[{"introduced":"1.11.0"},{"fixed":"1.11.4"},{"introduced":"1.12.0"},{"fixed":"1.12.1"}]}}],"versions":["1.11.0","1.11.1","1.11.2","1.11.3","1.12.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5390.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}