CVE-2017-7497
MEDIUMRed Hat CloudForms Management Engine - Improper Access Control in Cloud Volume Creation Dialog
Title source: llmDescription
The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant.
References (3)
Core 3
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1601
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1758
Scores
CVSS v3
4.1
EPSS
0.0099
EPSS Percentile
58.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-284
Status
published
Products (2)
redhat/cloudforms_management_engine
5.7.2
redhat/cloudforms_management_engine
5.8.0
Published
Jul 27, 2018
Tracked Since
Feb 18, 2026