CVE-2017-7528

Published: Aug 22, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

Affected (2)

Products: Redhat: Ansible Tower, Cloudforms Management Engine

Redhat

2 products

Ansible Tower

Cloudforms Management Engine

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Tower	All versions
Redhat Cloudforms Management Engine	Version 5.0

Related CWEs

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References (4)

http://www.securityfocus.com/bid/105143

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7528

Source: secalert@redhat.com

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/105143

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7528

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.