Vulnerability Details : CVE-2017-7530
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
Products affected by CVE-2017-7530
- cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-7530
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-7530
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Red Hat, Inc. |
CWE ids for CVE-2017-7530
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-7530
-
https://access.redhat.com/errata/RHSA-2017:1758
RHSA-2017:1758 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://www.securityfocus.com/bid/100151
Red Hat CloudForms Management Engine CVE-2017-7530 Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530
1465448 – (CVE-2017-7530) CVE-2017-7530 cfme: Execution of arbitrary methods through filter paramIssue Tracking;Vendor Advisory
Jump to