CVE-2020-14324 — OS Command Injection in Redhat Cloudforms Management Engine

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

1.7%

top 17.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms Management Engine Redhat Cloudforms

Timeline

PublishedAug 11

Description

A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

▶NVDredhat/cloudforms_management_engine< 5.11.7.0

▶CVEListV5redhat/cloudformscfme 5.11.7.0

▶CVEListV5redhat/cloudforms_management_enginecfme 5.11.7.0

🔴Vulnerability Details

CVEList

CVE-2020-14324: A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5↗2020-08-11

▶

📋Vendor Advisories

Red Hat

CloudForms: Out-of-band OS Command Injection through conversion host↗2020-08-03

▶

💬Community

Bugzilla

CVE-2020-14324 CloudForms: Out-of-band OS Command Injection through conversion host↗2020-07-10

▶