CVE-2017-12191

CWE-284Improper Access ControlCWE-613Insufficient Session Expiration5 documents5 sources
Severity
7.4HIGH
EPSS
0.2%
top 61.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RED Hat, Inc. CloudformsRedhat Cloudforms
Timeline
PublishedFeb 28
Latest updateMay 13

Description

A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LExploitability: 3.1 | Impact: 3.7

Affected Packages2 packages

CVEListV5red_hat,_inc./cloudformsThrough 5.9

Patches

Patch: access.redhat.comPatch: access.redhat.com

🔴Vulnerability Details

2
GHSA
GHSA-cfmg-g9hg-m3g2: A flaw was found in the CloudForms account configuration when using VMware2022-05-13
CVEList
CVE-2017-12191: A flaw was found in the CloudForms account configuration when using VMware2018-02-28

📋Vendor Advisories

1
Red Hat
CFME: VMRC plugin console grants users administrative access2018-02-27

💬Community

1
Bugzilla
CVE-2017-12191 CFME: VMRC plugin console grants users administrative access2017-10-10
CVE-2017-12191 (HIGH CVSS 7.4) | A flaw was found in the CloudForms | cvebase.io