Jan Rusnacko of the Red Hat Product Security Team reports: CFME contains an unsafe invocation of send method on user-supplied argument. This issue is reported by Brakeman as problem in ServiceController method x_button: vmdb/app/controllers/service_controller.rb 16 def x_button 17 @explorer = true 18 model, action = pressed2model_action(params[:pressed]) 19 @sb[:action] = action 20 if ["ownership","tag"].include?(action) 21 self.send(params[:pressed],"Service") 22 else 23 self.send(params[:pressed]) 24 end Assuming pressed2model_action sanitizes user input, this look like false-positive. However, pressed2model_action does not do sanitization, and only splits string on underscore: def pressed2model_action(pressed) pressed =~ /^(vm_vdi|miq_template)_(.*)$/ ? [$1, $2] : pressed.split('_', 2) end If action parsed from user-supplied input is neither "ownership", nor "tag", else branch is executed and client can execute arbitrary method on controller, including private.
Acknowledgements: This issue was discovered by Jan Rusnacko of the Red Hat Product Security Team.
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html