CVE-2017-7530
HIGHCloudForms Management Engine < 5.7.3 and 5.8.x < 5.8.1 - Missing Authorization via MiqExpression Filtering
Title source: llmDescription
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100151
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1758
Scores
CVSS v3
8.8
EPSS
0.0170
EPSS Percentile
74.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (2)
redhat/cloudforms
4.5
redhat/cloudforms_management_engine
< 5.7.3
Published
Jul 26, 2018
Tracked Since
Feb 18, 2026