PT-2020-3567 · Red Hat · Red Hat Cloudforms

Published

2020-08-03

Updated

2021-07-21

CVE-2020-10783

CVSS v3.1

8.3

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms versions 4.7 through 5

Description The issue is related to insufficient access control in the CloudForms Management Engine, which is a platform for managing virtual environments. This flaw can be exploited by a remote attacker to escalate their privileges. Specifically, an attacker with the EVM-Operator group can perform actions that are restricted to the EVM-Super-administrator group, such as exporting or importing administrator files.

Recommendations For Red Hat CloudForms versions 4.7 through 5, consider restricting access to sensitive actions until a patch is available. As a temporary workaround, limit the privileges of the EVM-Operator group to prevent unauthorized actions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authorization

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-284

Related Identifiers

BDU:2020-03900

CVE-2020-10783

RHSA-2020:3358

RHSA-2020:3574

Affected Products

Red Hat Cloudforms

PT-2020-3567 · Red Hat · Red Hat Cloudforms

CVE-2020-10783

Weakness Enumeration

Related Identifiers

Affected Products

References · 6