CVE-2019-14894

Name of the Vulnerable Software and Affected Versions CloudForms Management Engine versions 5.10 through 5.11

Description The issue is related to insufficient input validation, allowing a remote attacker to elevate privileges to root level and execute arbitrary code. An attacker logged into the management console can exploit this flaw to execute arbitrary shell commands on the CloudForms server as root through NFS schedule backup.

Recommendations For versions 5.10 and 5.11, consider restricting access to the management console and NFS schedule backup feature until a patch is available. As a temporary workaround, limit the execution of arbitrary shell commands on the CloudForms server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.