Bug 1477797 (CVE-2017-7552)

Summary: CVE-2017-7552 RHMAP Millicore IDE allows RCE on SCM
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, drusso, jbalunas, jmadigan, jmrazek, jshepherd, kpiwko, lgriffin, ngough, pbraun, pwright, rrajasek, security-response-team, tjay, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fh-scm-3.19.0, fh-scm-4.5.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the file editor of millicore which allows files to be executed as well as created. An attacker could use this flaw to compromise other users or teams projects stored in source control management of the RHMAP Core installation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-26 22:53:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1461341    

Description Jason Shepherd 2017-08-03 02:08:16 UTC
The file editor in millicore allows files to be executed, as well as created. An attacker could use this flaw to compromise other users, or teams projects stored in source control managment of the RHMAP Core installation.

Comment 1 Jason Shepherd 2017-08-03 02:08:22 UTC
Acknowledgments:

Name: Tomas Rzepka

Comment 3 errata-xmlrpc 2017-09-18 06:33:19 UTC
This issue has been addressed in the following products:

  Red Hat Mobile Application Platform 4.5

Via RHSA-2017:2675 https://access.redhat.com/errata/RHSA-2017:2675

Comment 4 errata-xmlrpc 2017-09-18 09:01:19 UTC
This issue has been addressed in the following products:

  Red Hat Mobile Application Platform 4.5

Via RHSA-2017:2674 https://access.redhat.com/errata/RHSA-2017:2674