PT-2014-2542 · Manageiq+1 · Manageiq Enterprise Virtualization Manager+1
Published
2014-01-11
·
Updated
2023-02-13
·
CVE-2013-2050
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Red Hat CloudForms 2.0 Management Engine (CFME) versions 5.1 and earlier
ManageIQ Enterprise Virtualization Manager versions 5.0 and earlier
Description
The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the
profile[] parameter in an explorer action in the miq policy controller.Recommendations
For Red Hat CloudForms 2.0 Management Engine (CFME) versions 5.1 and earlier, avoid using the
profile[] parameter in explorer actions until a fix is available.
For ManageIQ Enterprise Virtualization Manager versions 5.0 and earlier, restrict access to the miq policy controller to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Manageiq Enterprise Virtualization Manager
Red Hat Cloudforms