CVE-2018-10905

EPSS 0.29%
Published 24.07.2018 13:29:00
Last modified 21.11.2024 03:42:16
Source secalert@redhat.com
Teams watchlist Login
Open Login

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user.

Affected products Warnungen 0 Metrics 4 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Cloudforms Version4.5

Redhat ≫ Cloudforms Version4.6

Redhat ≫ Cloudforms Management Engine Version5.8

Redhat ≫ Cloudforms Management Engine Version5.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.29%	0.516

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C
secalert@redhat.com	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://access.redhat.com/errata/RHSA-2018:2561

Vendor Advisory

https://access.redhat.com/errata/RHSA-2018:2745

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10905

Vendor Advisory

Issue Tracking

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2018-10905

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-10905

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-10905

EUVD