Vulnerability Description
A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms Management Engine | < 5.7.2.1 |
| Redhat | Cloudforms | 4.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96964Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0898Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653Issue TrackingThird Party Advisory
- http://www.securityfocus.com/bid/96964Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0898Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-2653?
CVE-2017-2653 is a vulnerability with a CVSS score of 4.1 (MEDIUM). A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_...
How severe is CVE-2017-2653?
CVE-2017-2653 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2653?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Cloudforms Management Engine, Redhat Cloudforms.