Jason Frey

**Name of the Vulnerable Software and Affected Versions** ManageIQ versions prior to jansa-4 ManageIQ versions prior to kasparov-2 ManageIQ versions prior to lasker-1 **Description** The issue is related to a flaw in the MiqExpression module where a low privilege user could enter a crafted Ruby string that would be evaluated, allowing an attacker to execute arbitrary code with root privileges on the host system. **Recommendations** For versions prior to jansa-4, update to jansa-4 or later. For versions prior to kasparov-2, update to kasparov-2 or later. For versions prior to lasker-1, update to lasker-1 or later. As a temporary workaround, consider restricting users, via RBAC, to only the part of the application that they need access to, to limit the surface of the attack.