A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.
A vulnerability in CFME and ManageIQ was found allowing users authorized to product feature known as "Control" or "Policies" to run arbitrary code as root.
The `eval` is being run on a property of MiqEventDefinition table. Usually, this table is filled with stock data on product start-up. The default properties of this table are at
However, attacker can override any of the default stock values and put his code into the MiqEventDefinition table, which is later `eval`ed.
Name: Simon Lukasik (Red Hat)
This issue has been addressed in the following products:
CloudForms Management Engine 5.6
Via RHSA-2016:2839 https://rhn.redhat.com/errata/RHSA-2016-2839.html