CVE-2017-2653

4.1MEDIUM

Key Information:

Vendor
Red Hat
Status
Cloudforms
Vendor
CVE Published:
27 July 2018

Summary

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

Affected Version(s)

CloudForms 5.7.2.1

References

https://access.redhat.com/errata/RHSA-2017:0898
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653
x_refsource_CONFIRM
http://www.securityfocus.com/bid/96964
vdb-entryx_refsource_BID

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.