Bug 1465448 (CVE-2017-7530)
| Summary: | CVE-2017-7530 cfme: Execution of arbitrary methods through filter param | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jprause, kseifried, obarenbo, roliveri, security-response-team, simaishi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cfme 5.7.3, cfme 5.8.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-02 19:12:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1467720 | ||
| Bug Blocks: | 1435396, 1465449 | ||
|
Description
Adam Mariš
2017-06-27 13:00:17 UTC
Acknowledgments: Name: Tim Wade (Red Hat) This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:1758 |