Logic Error in CloudForms Role Validation Leading to Privilege Escalation
CVE-2017-2632

4.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Cfme
Vendor: CVE Published:; 27 July 2018

What is CVE-2017-2632?

A logic error in the valid_role() function in versions of CloudForms before 5.7.1.3 allows tenant administrators to create groups with privileges exceeding their expected level. This issue can be exploited by an attacker with administrator access to elevate their privileges, which may lead to unauthorized access to sensitive operations within the environment. It is crucial for affected users to apply the necessary updates to mitigate this risk.

Affected Version(s)

cfme 5.7.1.3

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2632

x_refsource_CONFIRM

http://www.securityfocus.com/bid/96478

vdb-entryx_refsource_BID

http://rhn.redhat.com/errata/RHSA-2017-0320.html

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2018
Vulnerability Reserved
Dec 1, 2016

Red Hat

What is CVE-2017-2632?

Affected Version(s)

References

CVSS V3.1

Timeline