Privilege escalation in Red Hat CloudForms

Published: 2017-12-19 00:00:00
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 5.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
CVSSv3 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE ID CVE-2017-2664
CWE ID CWE-284
Exploitation vector Network
Public exploit Not available
Vulnerable software CloudForms
Vulnerable software versions CloudForms 4.2
Vendor URL Red Hat Inc.
Advisory type Public

Security Advisory

1) Privilege escalation

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the targeted system.

The weakness exists due to insufficient role-based access control (RBAC) on certain methods within the rails application portion. A remote attacker can gain system privileges and conduct further attacks.

Remediation

Install update from vendor's website.

External links

https://access.redhat.com/errata/RHSA-2017:3484

Back to List