Vulnerability Description
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms | 4.5 |
| Redhat | Cloudforms Management Engine | < 5.7.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/100151Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1758Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530Issue TrackingVendor Advisory
- http://www.securityfocus.com/bid/100151Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1758Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530Issue TrackingVendor Advisory
FAQ
What is CVE-2017-7530?
CVE-2017-7530 is a vulnerability with a CVSS score of 8.8 (HIGH). In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will ex...
How severe is CVE-2017-7530?
CVE-2017-7530 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7530?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Cloudforms, Redhat Cloudforms Management Engine.