CVE-2017-2664

Impact:
Important
Public Date:
2017-08-02
CWE:
CWE-284
Bugzilla:
1435393: CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI
CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails applications portion of CloudForms to escalate privileges.

Find out more about CVE-2017-2664 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 6.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.8 (cfme) RHSA-2017:1758 2017-08-02
CloudForms Management Engine 5.7 (cfme) RHSA-2017:3484 2017-12-18

Acknowledgements

This issue was discovered by Libor Pichler (Red Hat) and Martin Povolny (Red Hat).
Last Modified