CVE-2017-7530

Published: Jul 26, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Affected (3)

Products: Redhat: Cloudforms, Cloudforms Management Engine

2 products

Cloudforms Management Engine

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Cloudforms	Version 4.5
Redhat Cloudforms Management Engine	Before 5.7.3
Redhat Cloudforms Management Engine	From 5.8.0 to 5.8.1

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

http://www.securityfocus.com/bid/100151

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1758

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530

Source: secalert@redhat.com

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/100151

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1758

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.