CVE-2017-7530

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).

Published: Jul 26, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-7530
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
redhat / cloudforms	4.5	4.5.x
redhat / cloudforms_management_engine	-	5.7.3
redhat / cloudforms_management_engine	5.8.0	5.8.1

http://www.securityfocus.com/bid/100151
https://access.redhat.com/errata/RHSA-2017:1758
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530

Vulnerability Database

289,599

CVE-2017-7530