Bug 1871921 (CVE-2020-14369) - CVE-2020-14369 CloudForms: Cross Site Request Forgery in API notifications
Summary: CVE-2020-14369 CloudForms: Cross Site Request Forgery in API notifications
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14369
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1871924
Blocks: 1871878
TreeView+ depends on / blocked
 
Reported: 2020-08-24 15:28 UTC by Yadnyawalk Tale
Modified: 2021-02-16 19:26 UTC (History)
11 users (show)

Fixed In Version: cfme-gemset 5.11.8.1-1
Doc Type: If docs needed, set a value
Doc Text:
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.
Clone Of:
Environment:
Last Closed: 2020-09-30 20:21:24 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4134 0 None None None 2020-09-30 13:56:04 UTC

Description Yadnyawalk Tale 2020-08-24 15:28:48 UTC
CloudForms version 5.11 and below are vulnerable to Cross Site Request Forgery attack which can force the user to perform state changing requests if the user is currently authenticated.

Comment 1 Yadnyawalk Tale 2020-08-24 15:28:55 UTC
Acknowledgments:

Name: Sruthi M (IBM), Purnachand Pulahari (IBM)
Upstream: ManageIQ

Comment 9 errata-xmlrpc 2020-09-30 13:55:21 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.11

Via RHSA-2020:4134 https://access.redhat.com/errata/RHSA-2020:4134

Comment 10 Product Security DevOps Team 2020-09-30 20:21:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14369


Note You need to log in before you can comment on or make changes to this bug.