#VU25581 OS Command Injection in CloudForms - CVE-2019-14894
Published: February 25, 2020
Vulnerability identifier: #VU25581
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14894
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
CloudForms
CloudForms
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system with elevated privileges.
The vulnerability exists due to improper input validation when processing NFS backups within CloudForms Management Engine. A remote authenticated attacker with access to management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.