Jan Rusnacko of Red Hat reports:
current CFME code contains dangerous send in
747: p_rpt.where_clause =
This calls .send method on @perf_record, with argument @perf_options[:parent],
which is supplied by user:
29: @perf_options[:parent] = params[:compare_to].blank? ? nil :
params[:compare_to] if params.has_key?(:compare_to)
this bug was fixed by dclarizio 2982783ab1a5432d9a63a645061986f82bb95514 in the old upstream repo
and it's fixed with the initial commit in the new repo
so this is fixed for 5.3 --> moving to to QA
This issue was discovered by Jan Rusnacko of Red Hat Product Security.
It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.
This issue has been addressed in the following products:
CloudForms Management Engine 5.3
Via RHSA-2014:1317 https://rhn.redhat.com/errata/RHSA-2014-1317.html