Bug 1283019 (CVE-2015-7502)
| Summary: | CVE-2015-7502 CloudForms: insecure password storage in PostgreSQL database | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apatters, cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, jfrey, jhardy, jprause, jrafanie, kseifried, obarenbo, roliveri, security-response-team, slong, xlecauch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain access to sensitive information.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-16 17:06:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1283325, 1283367, 1283369 | ||
| Bug Blocks: | 1283021 | ||
|
Description
Kurt Seifried
2015-11-18 04:07:14 UTC
This issue has been addressed in the following products: CloudForms Management Engine 5.5 Via RHSA-2015:2551 https://access.redhat.com/errata/RHSA-2015:2551 This issue has been addressed in the following products: CloudForms Management Engine 5.4 Via RHSA-2015:2620 https://rhn.redhat.com/errata/RHSA-2015-2620.html |