CVE-2016-7071

It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhatCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
redhatcloudforms_management_engine
𝑥
< 5.6.2.2
redhatcloudforms_management_engine
5.7.0.0 ≤
𝑥
< 5.7.0.7
redhatcloudforms
4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2016-2091.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071
http://rhn.redhat.com/errata/RHSA-2016-2091.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071