CVE-2017-2664

CWE-284 — Improper Access Control6 documents5 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 55.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms Management Engine RED HAT Cloudforms Redhat Cloudforms

Timeline

PublishedJul 26

Latest updateMay 13

Description

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/cloudforms_management_engine5.8 — 5.8.1+1

▶NVDredhat/cloudforms4.2, 4.6+1

▶CVEListV5red_hat/cloudforms5.7.3, 5.8.1+1

🔴Vulnerability Details

GHSA

GHSA-rc49-fxf8-jgg2: CloudForms Management Engine (cfme) before 5↗2022-05-13

▶

CVEList

CVE-2017-2664: CloudForms Management Engine (cfme) before 5↗2018-07-26

▶

📋Vendor Advisories

Red Hat

CloudForms: lack of RBAC on various methods in web UI↗2017-08-02

▶

💬Community

Bugzilla

CVE-2017-2664 CloudForms: lack of RBAC on various methods in web UI↗2017-03-23

▶

Bugzilla

CVE-2017-5563 libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c↗2017-01-24

▶