CVE-2017-2632

Advisory lineage Upstream: 0 Downstream: 1
Downstream
RHSA-2017:0320
Modified
Published: 27 Jul 2018, 19:00
Last modified:05 Aug 2024, 14:02

Vulnerability Summary

Overall Risk (default)
low
20/100
CVSS Score
4.9 MEDIUM
v3.0 (cve.org)
EPSS Score
0.29% LOW
0% probability -0.09%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

27 Jul 2018, 19:00
Published
Vulnerability first disclosed
05 Aug 2024, 14:02
Last Modified
Vulnerability information updated

Description

A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges.

CVSS Metrics

  • v3.0MEDIUMScore: 4.9CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
  • v2.0MEDIUMScore: 4AV:N/AC:L/Au:S/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.29% Percentile: 53%

Techniques & Countermeasures

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • CWE-285Improper Authorization

    The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

  • red hatcfme

    5.7.1.3

  • redhatcloudforms

    4.2

  • redhatcloudforms_management_engine

    < 5.7.1.3

References (3)