CVE-2014-3486
Red Hat CloudForms Management Engine < 5.2.4.2 - Local Arbitrary Command Execution via Symlink Attack
Title source: llmDescription
The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a predictable name.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/68300
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1107528
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0816.html
Scores
EPSS
0.0035
EPSS Percentile
27.0%
Details
CWE
CWE-59
Status
published
Products (7)
redhat/cloudforms_3.0_management_engine
5.2
redhat/cloudforms_3.0_management_engine
5.2.1
redhat/cloudforms_3.0_management_engine
5.2.1.6
redhat/cloudforms_3.0_management_engine
5.2.2
redhat/cloudforms_3.0_management_engine
5.2.3
redhat/cloudforms_3.0_management_engine
5.2.3.2
redhat/cloudforms_3.0_management_engine
< 5.2.4
Published
Jul 07, 2014
Tracked Since
Feb 18, 2026