CVE-2017-2653
Last modified
CVE-2017-2653 is a vulnerability of currently unknown severity. A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. EPSS estimates a 1.39% chance of exploitation in the next 30 days.
Description
A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms Management Engine | < 5.7.2.1 |
| Redhat | Cloudforms | 4.2 |
References
- http://www.securityfocus.com/bid/96964Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0898Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653Issue Tracking, Third Party Advisory
- http://www.securityfocus.com/bid/96964Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0898Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-2653?
How severe is CVE-2017-2653?
How do I fix CVE-2017-2653?
Are you affected by CVE-2017-2653?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST