SB2020022509 - OS command injection in Red Hat CloudForms
Published: February 25, 2020
Security Bulletin ID
SB2020022509
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2019-14894)
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system with elevated privileges.
The vulnerability exists due to improper input validation when processing NFS backups within CloudForms Management Engine. A remote authenticated attacker with access to management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.