Improper Permission Control in CloudForms by Red Hat
CVE-2016-7071

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Cfme
Vendor: CVE Published:; 10 September 2018

Summary

An issue was identified in CloudForms prior to version 5.6.2.2 and 5.7.0.7, where permissions were not correctly enforced on VM IDs provided by users. This flaw allows a remote, authenticated attacker to execute arbitrary virtual machines on systems managed by CloudForms, provided they can ascertain the ID of the targeted VM. It highlights the importance of rigorous permission checks in managing virtual environments.

Affected Version(s)

CFME 5.6.2.2

CFME 5.7.0.7

References

http://rhn.redhat.com/errata/RHSA-2016-2091.html

vendor-advisoryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2018
Vulnerability Reserved
Aug 23, 2016