RHSA-2017_0898
Vulnerability from csaf_redhat - Published: 2017-04-12 14:31 - Updated: 2024-11-22 10:54Summary
Red Hat Security Advisory: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. (CVE-2017-2653)
Additional Changes:
This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.
4.1 (Medium)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
145 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity Fix(es):\n\n* A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. (CVE-2017-2653)\n\nAdditional Changes:\n\nThis update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Technical Notes document linked to in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:0898",
"url": "https://access.redhat.com/errata/RHSA-2017:0898"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1386342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386342"
},
{
"category": "external",
"summary": "1393438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393438"
},
{
"category": "external",
"summary": "1395722",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1395722"
},
{
"category": "external",
"summary": "1395866",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1395866"
},
{
"category": "external",
"summary": "1396237",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396237"
},
{
"category": "external",
"summary": "1396579",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1396579"
},
{
"category": "external",
"summary": "1402995",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402995"
},
{
"category": "external",
"summary": "1411477",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1411477"
},
{
"category": "external",
"summary": "1414003",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1414003"
},
{
"category": "external",
"summary": "1416819",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416819"
},
{
"category": "external",
"summary": "1416827",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416827"
},
{
"category": "external",
"summary": "1416836",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416836"
},
{
"category": "external",
"summary": "1416894",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1416894"
},
{
"category": "external",
"summary": "1417757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417757"
},
{
"category": "external",
"summary": "1417762",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417762"
},
{
"category": "external",
"summary": "1417763",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417763"
},
{
"category": "external",
"summary": "1417779",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1417779"
},
{
"category": "external",
"summary": "1418066",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1418066"
},
{
"category": "external",
"summary": "1418221",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1418221"
},
{
"category": "external",
"summary": "1418815",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1418815"
},
{
"category": "external",
"summary": "1419603",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1419603"
},
{
"category": "external",
"summary": "1419694",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1419694"
},
{
"category": "external",
"summary": "1420284",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420284"
},
{
"category": "external",
"summary": "1420442",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420442"
},
{
"category": "external",
"summary": "1420467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420467"
},
{
"category": "external",
"summary": "1421154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1421154"
},
{
"category": "external",
"summary": "1421158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1421158"
},
{
"category": "external",
"summary": "1421161",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1421161"
},
{
"category": "external",
"summary": "1422647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422647"
},
{
"category": "external",
"summary": "1422648",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422648"
},
{
"category": "external",
"summary": "1422649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422649"
},
{
"category": "external",
"summary": "1422650",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422650"
},
{
"category": "external",
"summary": "1422651",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422651"
},
{
"category": "external",
"summary": "1422652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422652"
},
{
"category": "external",
"summary": "1422653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422653"
},
{
"category": "external",
"summary": "1422654",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422654"
},
{
"category": "external",
"summary": "1422975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1422975"
},
{
"category": "external",
"summary": "1423032",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1423032"
},
{
"category": "external",
"summary": "1423470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1423470"
},
{
"category": "external",
"summary": "1424255",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1424255"
},
{
"category": "external",
"summary": "1425492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425492"
},
{
"category": "external",
"summary": "1425494",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425494"
},
{
"category": "external",
"summary": "1425873",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425873"
},
{
"category": "external",
"summary": "1426433",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1426433"
},
{
"category": "external",
"summary": "1426628",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1426628"
},
{
"category": "external",
"summary": "1426638",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1426638"
},
{
"category": "external",
"summary": "1426683",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1426683"
},
{
"category": "external",
"summary": "1427168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427168"
},
{
"category": "external",
"summary": "1427169",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427169"
},
{
"category": "external",
"summary": "1427172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427172"
},
{
"category": "external",
"summary": "1427298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427298"
},
{
"category": "external",
"summary": "1427299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427299"
},
{
"category": "external",
"summary": "1427321",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427321"
},
{
"category": "external",
"summary": "1427520",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427520"
},
{
"category": "external",
"summary": "1427522",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1427522"
},
{
"category": "external",
"summary": "1428079",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428079"
},
{
"category": "external",
"summary": "1428122",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428122"
},
{
"category": "external",
"summary": "1428124",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428124"
},
{
"category": "external",
"summary": "1428130",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428130"
},
{
"category": "external",
"summary": "1428131",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428131"
},
{
"category": "external",
"summary": "1428508",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428508"
},
{
"category": "external",
"summary": "1428509",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428509"
},
{
"category": "external",
"summary": "1428512",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428512"
},
{
"category": "external",
"summary": "1428579",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428579"
},
{
"category": "external",
"summary": "1428895",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428895"
},
{
"category": "external",
"summary": "1428897",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428897"
},
{
"category": "external",
"summary": "1428899",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428899"
},
{
"category": "external",
"summary": "1428900",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428900"
},
{
"category": "external",
"summary": "1428903",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428903"
},
{
"category": "external",
"summary": "1428904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1428904"
},
{
"category": "external",
"summary": "1429648",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1429648"
},
{
"category": "external",
"summary": "1429650",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1429650"
},
{
"category": "external",
"summary": "1429652",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1429652"
},
{
"category": "external",
"summary": "1429999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1429999"
},
{
"category": "external",
"summary": "1430088",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430088"
},
{
"category": "external",
"summary": "1430089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430089"
},
{
"category": "external",
"summary": "1430439",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430439"
},
{
"category": "external",
"summary": "1430542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430542"
},
{
"category": "external",
"summary": "1430835",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430835"
},
{
"category": "external",
"summary": "1430838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430838"
},
{
"category": "external",
"summary": "1430937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1430937"
},
{
"category": "external",
"summary": "1431154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431154"
},
{
"category": "external",
"summary": "1431162",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431162"
},
{
"category": "external",
"summary": "1431163",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431163"
},
{
"category": "external",
"summary": "1431164",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431164"
},
{
"category": "external",
"summary": "1431165",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431165"
},
{
"category": "external",
"summary": "1431166",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431166"
},
{
"category": "external",
"summary": "1431168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431168"
},
{
"category": "external",
"summary": "1431620",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431620"
},
{
"category": "external",
"summary": "1431641",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431641"
},
{
"category": "external",
"summary": "1431727",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431727"
},
{
"category": "external",
"summary": "1431808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431808"
},
{
"category": "external",
"summary": "1431842",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1431842"
},
{
"category": "external",
"summary": "1432093",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432093"
},
{
"category": "external",
"summary": "1432098",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432098"
},
{
"category": "external",
"summary": "1432174",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432174"
},
{
"category": "external",
"summary": "1432463",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432463"
},
{
"category": "external",
"summary": "1432467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432467"
},
{
"category": "external",
"summary": "1432639",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432639"
},
{
"category": "external",
"summary": "1432957",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432957"
},
{
"category": "external",
"summary": "1432960",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432960"
},
{
"category": "external",
"summary": "1432961",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432961"
},
{
"category": "external",
"summary": "1432962",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432962"
},
{
"category": "external",
"summary": "1433069",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433069"
},
{
"category": "external",
"summary": "1433089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433089"
},
{
"category": "external",
"summary": "1433093",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433093"
},
{
"category": "external",
"summary": "1433094",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433094"
},
{
"category": "external",
"summary": "1433366",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433366"
},
{
"category": "external",
"summary": "1433435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433435"
},
{
"category": "external",
"summary": "1433486",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433486"
},
{
"category": "external",
"summary": "1433500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433500"
},
{
"category": "external",
"summary": "1433962",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433962"
},
{
"category": "external",
"summary": "1433974",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433974"
},
{
"category": "external",
"summary": "1433976",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433976"
},
{
"category": "external",
"summary": "1433979",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433979"
},
{
"category": "external",
"summary": "1433980",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433980"
},
{
"category": "external",
"summary": "1433981",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433981"
},
{
"category": "external",
"summary": "1434012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434012"
},
{
"category": "external",
"summary": "1434096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434096"
},
{
"category": "external",
"summary": "1434150",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434150"
},
{
"category": "external",
"summary": "1434151",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434151"
},
{
"category": "external",
"summary": "1434157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434157"
},
{
"category": "external",
"summary": "1434158",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434158"
},
{
"category": "external",
"summary": "1434160",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434160"
},
{
"category": "external",
"summary": "1434172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434172"
},
{
"category": "external",
"summary": "1434411",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434411"
},
{
"category": "external",
"summary": "1434428",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434428"
},
{
"category": "external",
"summary": "1434549",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1434549"
},
{
"category": "external",
"summary": "1435278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1435278"
},
{
"category": "external",
"summary": "1436223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436223"
},
{
"category": "external",
"summary": "1436340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436340"
},
{
"category": "external",
"summary": "1436854",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1436854"
},
{
"category": "external",
"summary": "1437560",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1437560"
},
{
"category": "external",
"summary": "1438450",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1438450"
},
{
"category": "external",
"summary": "1438888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1438888"
},
{
"category": "external",
"summary": "1439308",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1439308"
},
{
"category": "external",
"summary": "1440405",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1440405"
},
{
"category": "external",
"summary": "1440408",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1440408"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0898.json"
}
],
"title": "Red Hat Security Advisory: cfme, cfme-appliance, and cfme-gemset security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T10:54:22+00:00",
"generator": {
"date": "2024-11-22T10:54:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:0898",
"initial_release_date": "2017-04-12T14:31:08+00:00",
"revision_history": [
{
"date": "2017-04-12T14:31:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-04-12T14:31:08+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T10:54:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.7",
"product": {
"name": "CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.7.2.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.7.2.1-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.7.2.1-1.el7cf.x86_64",
"product_id": "cfme-0:5.7.2.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.7.2.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.7.2.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.7.2.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.7.2.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.7.2.1-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-0:5.7.2.1-1.el7cf.src",
"product": {
"name": "cfme-0:5.7.2.1-1.el7cf.src",
"product_id": "cfme-0:5.7.2.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.7.2.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.src",
"product_id": "cfme-appliance-0:5.7.2.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.7.2.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.src",
"product_id": "cfme-gemset-0:5.7.2.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.7.2.1-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.7.2.1-1.el7cf.src as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.src"
},
"product_reference": "cfme-0:5.7.2.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.7.2.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.7.2.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.src as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.7.2.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.7.2.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.src as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.7.2.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.7.2.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.7",
"product_id": "7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.7.2.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-2653",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1432174"
}
],
"notes": [
{
"category": "description",
"text": "A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CloudForms: UI security issue on Openstack actions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2653"
},
{
"category": "external",
"summary": "RHBZ#1432174",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432174"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2653",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2653"
}
],
"release_date": "2017-03-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-12T14:31:08+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0898"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-appliance-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-appliance-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-debuginfo-0:5.7.2.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.src",
"7Server-RH7-CFME-5.7:cfme-gemset-0:5.7.2.1-1.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CloudForms: UI security issue on Openstack actions"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…