CVE-2019-14894 — Improper Input Validation in Redhat Cloudforms Management Engine

CWE-20 — Improper Input Validation CWE-78 — OS Command Injection5 documents5 sources

Severity

7.2HIGHNVD

CNA8.0

EPSS

2.5%

top 14.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms Management Engine

Timeline

PublishedJun 22

Latest updateMay 24

Description

A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/cloudforms_management_engine5.10, 5.11+1

🔴Vulnerability Details

GHSA

GHSA-ghxf-76c7-3c47: A flaw was found in the CloudForms management engine version 5↗2022-05-24

▶

CVEList

CVE-2019-14894: A flaw was found in the CloudForms management engine version 5↗2020-06-22

▶

📋Vendor Advisories

Red Hat

CloudForms: RCE vulnerability in NFS schedule backup↗2020-02-24

▶

💬Community

Bugzilla

CVE-2019-14894 CloudForms: RCE vulnerability in NFS schedule backup↗2019-11-06

▶