CVE-2016-7040

Опубликовано: 04 окт. 2016

Источник: redhat

CVSS3: 8.8

CVSS2: 6

EPSS Низкий

Описание

Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.

An input validation flaw was found in the way CloudForms regular expressions were passed to the expression engine via both the JSON API and the web based UI. A user with the ability to view collections and filter them could use this flaw to execute arbitrary shell commands on the host with the privileges of the CloudForms process.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5.2	cfme	Affected
CloudForms Management Engine 5.3	cfme	Affected
CloudForms Management Engine 5.4	cfme	Affected
CloudForms Management Engine 5.5	cfme	Will not fix
CloudForms Management Engine 5.6	cfme	Affected
CloudForms Management Engine 5.7	cfme	Affected
CloudForms Management Engine 5.6	cfme	Fixed	RHSA-2016:1996	04.10.2016
CloudForms Management Engine 5.6	cfme-appliance	Fixed	RHSA-2016:1996	04.10.2016
CloudForms Management Engine 5.6	cfme-gemset	Fixed	RHSA-2016:1996	04.10.2016
CloudForms Management Engine 5.6	rh-ruby22-rubygem-nokogiri	Fixed	RHSA-2016:1996	04.10.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1375089cfme: Incorrect sanitization in regular expression engine

EPSS

Процентиль: 70%

0.00641

Низкий

8.8 High

CVSS3

6 Medium

CVSS2

Связанные уязвимости

CVE-2016-7040

CVSS3: 8.8

nvd

больше 9 лет назад

GHSA-7fr4-2q4f-xgw5

CVSS3: 8.8

github

больше 3 лет назад

EPSS

Процентиль: 70%

0.00641

Низкий

8.8 High

CVSS3

6 Medium

CVSS2