Tim Wade

**Name of the Vulnerable Software and Affected Versions** Red Hat CloudForms Management Engine version 4.1 **Description** The issue arises from improper handling of regular expressions passed to the expression engine via the JSON API and the web-based UI. This allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections. **Recommendations** For Red Hat CloudForms Management Engine version 4.1, consider restricting access to the JSON API and the web-based UI to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the expression engine with untrusted input.