Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with specific group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files. Initial patches of CVE-2020-10783 were later considered incomplete for other RBAC groups.
Acknowledgments: Name: Purnachand Pulahari (IBM), Ranjit Kumar Singh (IBM)
Statement: This vulnerability stems from incomplete fixes for a previously disclosed CVE-2020-10783, which only fixed this flaw for EVM-Operator group.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: CloudForms Management Engine 5.11 Via RHSA-2020:5554 https://access.redhat.com/errata/RHSA-2020:5554
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25716