CVE-2016-7071

Description

It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Red Hat / cfme5.6.2.2 – 5.6.2.2
Red Hat / cfme5.7.0.7 – 5.7.0.7

References

MISChttp://rhn.redhat.com/errata/RHSA-2016-2091.html
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071