CVE-2017-7530
Last modified
CVE-2017-7530 is a vulnerability of currently unknown severity. In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. EPSS estimates a 1.70% chance of exploitation in the next 30 days.
Description
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms | 4.5 |
| Redhat | Cloudforms Management Engine | < 5.7.3 |
| Redhat | Cloudforms Management Engine | >= 5.8.0, < 5.8.1 |
References
- http://www.securityfocus.com/bid/100151Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1758Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530Issue Tracking, Vendor Advisory
- http://www.securityfocus.com/bid/100151Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1758Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-7530?
How severe is CVE-2017-7530?
How do I fix CVE-2017-7530?
Are you affected by CVE-2017-7530?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST