CVE-2017-2653

EPSS 0.4%
Veröffentlicht 27.07.2018 18:29:01
Zuletzt bearbeitet 21.11.2024 03:23:55
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Cloudforms Management Engine Version < 5.7.2.1

Redhat ≫ Cloudforms Version4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.596

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:N/I:P/A:N
secalert@redhat.com	4.1	2.3	1.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.securityfocus.com/bid/96964

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2017:0898

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-2653

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-2653

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-2653

EUVD