Skip to main content

Cloudforms Management Engine CVE-2020-14324

CRITICAL
OS Command Injection (CWE-78)
2020-08-11 secalert@redhat.com
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 11, 2020 - 14:15 nvd
CRITICAL 9.1

DescriptionNVD

A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server.

AnalysisAI

A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server. Affected products include: Redhat Cloudforms Management Engine. Version information: before 5.11.7.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2013-2068 CRITICAL POC
9.4 Sep 28

Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow re

CVE-2013-2050 HIGH POC
7.5 Jan 11

SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and Mana

CVE-2020-1733 MEDIUM POC
5.0 Mar 11

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a play

CVE-2016-7040 HIGH
8.8 Oct 07

Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine vi

CVE-2013-4172 HIGH
8.5 Aug 23

The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified

CVE-2020-1735 MEDIUM POC
4.6 Mar 16

A flaw was found in the Ansible Engine when the fetch module is used. Rated medium severity (CVSS 4.6), this vulnerabili

CVE-2018-10905 HIGH
7.8 Jul 24

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms.

CVE-2016-4457 HIGH
7.5 Jun 08

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. Rated high severity (CVSS 7.5), this vul

CVE-2020-1736 LOW POC
3.3 Mar 16

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified

CVE-2020-14296 HIGH
7.1 Aug 11

Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. Rated high severity (CVSS 7.1),

CVE-2019-10177 MEDIUM
6.5 Jun 27

A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and

CVE-2020-10780 MEDIUM
6.3 Aug 11

Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as

Share

CVE-2020-14324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy