CVE-2017-7530

Impact:
Important
Public Date:
2017-08-02
CWE:
CWE-862
Bugzilla:
1465448: CVE-2017-7530 cfme: Execution of arbitrary methods through filter param
It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Find out more about CVE-2017-7530 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.8 (cfme) RHSA-2017:1758 2017-08-02

Acknowledgements

This issue was discovered by Tim Wade (Red Hat).
Last Modified