CVE-2017-7530
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | cfme | 5.7.3 | affected |
| Red Hat | cfme | 5.8.1 | affected |
Weaknesses
- CWE-862: CWE-862
ADP Enrichment
CVE Program Container
Additional References
- http://www.securityfocus.com/bid/100151
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530
- https://access.redhat.com/errata/RHSA-2017:1758
References
- http://www.securityfocus.com/bid/100151
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530
- https://access.redhat.com/errata/RHSA-2017:1758
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.