Jan Rusnacko of Red Hat reports: current CFME code contains dangerous send in cfme/vmdb/app/controllers/application_controller/performance.rb : 747: p_rpt.where_clause[2] = @perf_record.send(@perf_options[:parent].underscore).id This calls .send method on @perf_record, with argument @perf_options[:parent], which is supplied by user: 29: @perf_options[:parent] = params[:compare_to].blank? ? nil : params[:compare_to] if params.has_key?(:compare_to)
this bug was fixed by dclarizio 2982783ab1a5432d9a63a645061986f82bb95514 in the old upstream repo and it's fixed with the initial commit in the new repo so this is fixed for 5.3 --> moving to to QA
Acknowledgement: This issue was discovered by Jan Rusnacko of Red Hat Product Security.
IssueDescription: It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.
This issue has been addressed in the following products: CloudForms Management Engine 5.3 Via RHSA-2014:1317 https://rhn.redhat.com/errata/RHSA-2014-1317.html