CVE-2017-2664

MEDIUM

CloudForms Management Engine < 5.7.3 and 5.8.x < 5.8.1 - Privilege Escalation via Unprotected Rails Application Methods

Title source: llm
STIX 2.1

Description

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges.

References (4)

Core 4
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3484
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100148
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1758
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2664

Scores

CVSS v3 6.5
EPSS 0.0132
EPSS Percentile 67.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-284
Status published
Products (3)
redhat/cloudforms 4.2
redhat/cloudforms 4.6
redhat/cloudforms_management_engine < 5.7.3
Published Jul 26, 2018
Tracked Since Feb 18, 2026