PT-2016-7191 · Red Hat · Red Hat Cloudforms Management Engine

Tim Wade

Published

2016-10-07

Updated

2016-11-28

CVE-2016-7040

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms Management Engine version 4.1

Description The issue arises from improper handling of regular expressions passed to the expression engine via the JSON API and the web-based UI. This allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.

Recommendations For Red Hat CloudForms Management Engine version 4.1, consider restricting access to the JSON API and the web-based UI to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the expression engine with untrusted input.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2016-7040

RHSA-2016:1996

Affected Products

Red Hat Cloudforms Management Engine

PT-2016-7191 · Red Hat · Red Hat Cloudforms Management Engine

CVE-2016-7040

Weakness Enumeration

Related Identifiers

Affected Products

References · 4