CVE-2020-14325

CWE-2854 documents4 sources

Severity

9.1CRITICAL

EPSS

0.2%

top 52.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Cloudforms

Timeline

PublishedAug 11

Description

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶NVDredhat/cloudforms< 5.11.7.0

▶CVEListV5cloudformscfme 5.11.7.0

🔴Vulnerability Details

CVEList

CVE-2020-14325: Red Hat CloudForms before 5↗2020-08-11

▶

📋Vendor Advisories

Red Hat

CloudForms: User Impersonation in the API for OIDC and SAML↗2020-08-03

▶

💬Community

Bugzilla

CVE-2020-14325 CloudForms: User Impersonation in the API for OIDC and SAML↗2020-07-10

▶