CVE-2017-7497

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.1 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
redhatCNA
4.1 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
redhatcloudforms_management_engine
5.7.2
redhatcloudforms_management_engine
5.8.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2017:1601
https://access.redhat.com/errata/RHSA-2017:1758
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497
https://access.redhat.com/errata/RHSA-2017:1601
https://access.redhat.com/errata/RHSA-2017:1758
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497