1077359 – (CVE-2014-0140) CVE-2014-0140 CFME: default routes expose controllers and actions

Bug 1077359 (CVE-2014-0140) - CVE-2014-0140 CFME: default routes expose controllers and actions

Summary: CVE-2014-0140 CFME: default routes expose controllers and actions

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-0140
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1077361 1077362
Blocks:	1086524
TreeView+	depends on / blocked

Reported:	2014-03-17 19:43 UTC by Kurt Seifried
Modified:	2023-05-12 20:49 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-10-02 20:30:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1317	0	normal	SHIPPED_LIVE	Moderate: cfme security, bug fix, and enhancement update	2014-10-02 22:40:23 UTC

Description Kurt Seifried 2014-03-17 19:43:17 UTC

IssueDescription:

It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.

Comment 5 Kurt Seifried 2014-09-17 02:15:48 UTC

Acknowledgement:

This issue was discovered by Jan Rusnacko of Red Hat Product Security.

Comment 6 errata-xmlrpc 2014-10-02 18:53:42 UTC

This issue has been addressed in the following products:

  CloudForms Management Engine 5.3

Via RHSA-2014:1317 https://rhn.redhat.com/errata/RHSA-2014-1317.html

Note You need to log in before you can comment on or make changes to this bug.