Bug 1077359 (CVE-2014-0140) - CVE-2014-0140 CFME: default routes expose controllers and actions
Summary: CVE-2014-0140 CFME: default routes expose controllers and actions
Status: CLOSED ERRATA
Alias: CVE-2014-0140
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141002,repor...
Keywords: Security
Depends On: 1077361 1077362
Blocks: 1086524
TreeView+ depends on / blocked
 
Reported: 2014-03-17 19:43 UTC by Kurt Seifried
Modified: 2019-06-08 19:57 UTC (History)
13 users (show)

(edit) 
It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
Clone Of:
(edit)
Last Closed: 2014-10-02 20:30:54 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1317 normal SHIPPED_LIVE Moderate: cfme security, bug fix, and enhancement update 2014-10-02 22:40:23 UTC

Description Kurt Seifried 2014-03-17 19:43:17 UTC 
IssueDescription:

It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
Comment 5 Kurt Seifried 2014-09-17 02:15:48 UTC 
Acknowledgement:

This issue was discovered by Jan Rusnacko of Red Hat Product Security.
Comment 6 errata-xmlrpc 2014-10-02 18:53:42 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.3

Via RHSA-2014:1317 https://rhn.redhat.com/errata/RHSA-2014-1317.html
Note You need to log in before you can comment on or make changes to this bug.