Vulnerabilities > CVE-2017-7530 - Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
redhat
NVD
Published: 2018-07-26
Updated: 2019-10-09

Summary

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Vulnerable Configurations

Part Description Count
Application
Redhat
21

Redhat

advisories
rhsa
idRHSA-2017:1758
rpms
  • ansible-0:2.3.0.0-1.el7
  • ansible-tower-server-0:3.1.3-1.el7at
  • ansible-tower-setup-0:3.1.3-1.el7at
  • cfme-0:5.8.1.5-1.el7cf
  • cfme-appliance-0:5.8.1.5-1.el7cf
  • cfme-appliance-debuginfo-0:5.8.1.5-1.el7cf
  • cfme-debuginfo-0:5.8.1.5-1.el7cf
  • cfme-gemset-0:5.8.1.5-1.el7cf
  • rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf
  • rh-ruby23-rubygem-nokogiri-debuginfo-0:1.7.2-1.el7cf
  • rh-ruby23-rubygem-nokogiri-doc-0:1.7.2-1.el7cf

References