Vulnerability Description
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms Management Engine | < 5.6.2.2 |
| Redhat | Cloudforms | 4.1 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2016-2091.htmlVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071Issue TrackingVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2091.htmlVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071Issue TrackingVendor Advisory
FAQ
What is CVE-2016-7071?
CVE-2016-7071 is a vulnerability with a CVSS score of 8.8 (HIGH). It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbi...
How severe is CVE-2016-7071?
CVE-2016-7071 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-7071?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Cloudforms Management Engine, Redhat Cloudforms.