CVE-2017-2653

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 56.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms Management Engine RED HAT Cloudforms Redhat Cloudforms

Timeline

PublishedJul 27

Latest updateMay 13

Description

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:NExploitability: 2.3 | Impact: 1.4

Affected Packages3 packages

▶NVDredhat/cloudforms_management_engine< 5.7.2.1

▶NVDredhat/cloudforms4.2

▶CVEListV5red_hat/cloudforms5.7.2.1

🔴Vulnerability Details

GHSA

GHSA-xfgx-c33h-jf9f: A number of unused delete routes are present in CloudForms before 5↗2022-05-13

▶

CVEList

CVE-2017-2653: A number of unused delete routes are present in CloudForms before 5↗2018-07-27

▶

📋Vendor Advisories

Red Hat

CloudForms: UI security issue on Openstack actions↗2017-03-14

▶

💬Community

Bugzilla

CVE-2017-7595 libtiff: Divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)↗2017-04-11

▶

Bugzilla

CVE-2017-2653 CloudForms: UI security issue on Openstack actions↗2017-03-14

▶