OS Command Injection in CloudForms - CVE-2019-14894
Published: February 25, 2020
Vulnerability identifier: #VU25581
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-14894
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
CloudForms
CloudForms
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary shell commands on the target system with elevated privileges.
The vulnerability exists due to improper input validation when processing NFS backups within CloudForms Management Engine. A remote authenticated attacker with access to management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2019-14894
Install updates from vendor's website.