PT-2016-7191 · Red Hat · Red Hat Cloudforms Management Engine

Tim Wade

Publicado

2016-10-07

Atualizado

2016-11-28

CVE-2016-7040

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms Management Engine version 4.1

Description The issue arises from improper handling of regular expressions passed to the expression engine via the JSON API and the web-based UI. This allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.

Recommendations For Red Hat CloudForms Management Engine version 4.1, consider restricting access to the JSON API and the web-based UI to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the expression engine with untrusted input.

Correção

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284

Identificadores relacionados

CVE-2016-7040

RHSA-2016:1996

Produtos afetados

Red Hat Cloudforms Management Engine

PT-2016-7191 · Red Hat · Red Hat Cloudforms Management Engine

CVE-2016-7040

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4