Bug 1847628 (CVE-2020-10778)

Summary: CVE-2020-10778 CloudForms: Business logic bypass through widgets
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akarol, dmetzger, gmccullo, gtanzill, jfrey, jhardy, obarenbo, roliveri, security-response-team, simaishi, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cfme-gemset 5.11.7.1 Doc Type: If docs needed, set a value
Doc Text:
A business logic flaw was found in Red Hat CloudForms where the read-only values of the Widgets could be altered. An attacker with low privileges could bypass server-side validation by dropping the disabled attribute from the fields.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-06 19:27:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1847631, 1847632    
Bug Blocks: 1847620    

Description Yadnyawalk Tale 2020-06-16 17:34:20 UTC 
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior.
Comment 4 Yadnyawalk Tale 2020-06-24 17:28:36 UTC 
Acknowledgments:

Name: Purnachand Pulahari (IBM), Ranjit Kumar Singh (IBM)
Comment 6 errata-xmlrpc 2020-08-06 14:32:35 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.11

Via RHSA-2020:3358 https://access.redhat.com/errata/RHSA-2020:3358
Comment 7 Product Security DevOps Team 2020-08-06 19:27:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10778
Comment 8 errata-xmlrpc 2020-08-27 16:01:37 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2020:3574 https://access.redhat.com/errata/RHSA-2020:3574