CVE-2017-7497

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant.

Published: Jul 27, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-7497
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
redhat / cloudforms_management_engine	5.7.2	5.7.2.x
redhat / cloudforms_management_engine	5.8.0	5.8.0.x

https://access.redhat.com/errata/RHSA-2017:1601
https://access.redhat.com/errata/RHSA-2017:1758
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497

Vulnerability Database

289,697

CVE-2017-7497