Vulnerabilities > CVE-2017-7530 - Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
redhat

Summary

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Redhat

advisories
rhsa
idRHSA-2017:1758
rpms
  • ansible-0:2.3.0.0-1.el7
  • ansible-tower-server-0:3.1.3-1.el7at
  • ansible-tower-setup-0:3.1.3-1.el7at
  • cfme-0:5.8.1.5-1.el7cf
  • cfme-appliance-0:5.8.1.5-1.el7cf
  • cfme-appliance-debuginfo-0:5.8.1.5-1.el7cf
  • cfme-debuginfo-0:5.8.1.5-1.el7cf
  • cfme-gemset-0:5.8.1.5-1.el7cf
  • rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf
  • rh-ruby23-rubygem-nokogiri-debuginfo-0:1.7.2-1.el7cf
  • rh-ruby23-rubygem-nokogiri-doc-0:1.7.2-1.el7cf