CVE-2017-2632

CWE-285 CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.9MEDIUM

EPSS

0.4%

top 40.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms Management Engine RED HAT Cfme Redhat Cloudforms

Timeline

PublishedJul 27

Latest updateMay 13

Description

A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/cloudforms_management_engine< 5.7.1.3

▶NVDredhat/cloudforms4.2

▶CVEListV5red_hat/cfme5.7.1.3

🔴Vulnerability Details

GHSA

GHSA-859c-mmxf-c34p: A logic error in valid_role() in CloudForms role validation before 5↗2022-05-13

▶

CVEList

CVE-2017-2632: A logic error in valid_role() in CloudForms role validation before 5↗2018-07-27

▶

📋Vendor Advisories

Red Hat

cfme: tenant administrator can create a group with higher permissions↗2017-02-27

▶

💬Community

Bugzilla

CVE-2017-2632 cfme: tenant administrator can create a group with higher permissions↗2017-02-20

▶