CVE-2014-3486

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms versions prior to 5.2.4.2

Description The issue allows local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name. This is due to vulnerabilities in the shell exec function in lib/util/MiqSshUtilV1.rb and the temp cmd file function in lib/util/MiqSshUtilV2.rb.

Recommendations For versions prior to 5.2.4.2, update to version 5.2.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the shell exec function and the temp cmd file function to minimize the risk of exploitation.