Missing Authorization in CloudForms

#VU45880 Missing Authorization in CloudForms

Published: 2020-08-11 | Updated: 2020-08-21

Vulnerability identifier: #VU45880

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-10779

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CloudForms
Client/Desktop applications / Multimedia software

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CloudForms: 4.7 - 5.0.0

External links
http://access.redhat.com/security/cve/cve-2020-10779
http://bugzilla.redhat.com/show_bug.cgi?id=1847647

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in CloudForms