CVE-2017-7497

MEDIUM

Red Hat CloudForms Management Engine - Improper Access Control in Cloud Volume Creation Dialog

Title source: llm
STIX 2.1

Description

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant.

References (3)

Core 3
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1601
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1758

Scores

CVSS v3 4.1
EPSS 0.0099
EPSS Percentile 58.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-284
Status published
Products (2)
redhat/cloudforms_management_engine 5.7.2
redhat/cloudforms_management_engine 5.8.0
Published Jul 27, 2018
Tracked Since Feb 18, 2026