Bug 959062 (CVE-2013-2050)

Summary: CVE-2013-2050 CloudForms Management Engine 2: miq_policy/explorer SQL injection
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdunne, bressers, dclarizi, djorm, jfrey, jrafanie, kseifried, obarenbo, security-response-team, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-13 02:02:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 959065    
Bug Blocks: 959064, 1011266    

Description Kurt Seifried 2013-05-03 05:53:17 UTC 
It was found that the MiqPolicyController component of CloudForms Management Engine (CFME) was vulnerable to SQL injection. A remote attacker could use this flaw to execute arbitrary SQL statements in the CFME database.
Comment 2 Murray McAllister 2013-05-14 00:51:55 UTC 
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 5 David Jorm 2013-11-13 02:02:14 UTC 
Statement:

This issue is resolved in CloudForms 3.0. The maintenance support policy for CloudForms 2.0 only covers critical security issues, meaning this issue is out of scope. Users of CloudForms 2.0 are advised to upgrade to CloudForms 3.0 to address this issue.