CVE-2020-10780 – CloudForms: CSV Injection in Orchestration Templates
https://notcve.org/view.php?id=CVE-2020-10780
Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the file with Excel. Once the victim opens the file, the formula executes, triggering any number of possible events. While this is strictly not an flaw that affects the application directly, attackers could use the loosely validated parameters to trigger several attack possibilities. Red Hat CloudForms versiones 4.7 y 5, está afectado por un fallo de inyección CSV, una carga útil diseñada permanece inactiva hasta que una víctima la exporta como CSV y abre el archivo con Excel. Una vez que la víctima abre el archivo, la fórmula es ejecutada, desencadenando cualquier número de posibles eventos. • https://access.redhat.com/security/cve/cve-2020-10780 https://bugzilla.redhat.com/show_bug.cgi?id=1847794 https://access.redhat.com/security/cve/CVE-2020-10780 • CWE-20: Improper Input Validation CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2020-14325 – CloudForms: User Impersonation in the API for OIDC and SAML
https://notcve.org/view.php?id=CVE-2020-14325
Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator. Red Hat CloudForms versiones anteriores a 5.11.7.0, era vulnerable a un fallo de autorización de Suplantación de Usuario que permite a un atacante malicioso crear un usuario de control de acceso basado en roles existente y no existente, con grupos y roles. Con un grupo seleccionado de EvmGroup-super_administrator, un atacante puede llevar a cabo cualquier petición de la API como superadministrador A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request. • https://access.redhat.com/security/cve/cve-2020-14325 https://bugzilla.redhat.com/show_bug.cgi?id=1855739 https://access.redhat.com/security/cve/CVE-2020-14325 • CWE-285: Improper Authorization •
CVE-2020-10783 – CloudForms: Missing access control leads to escalation of admin group privileges
https://notcve.org/view.php?id=CVE-2020-10783
Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, exporting or importing administrator files. Red Hat CloudForms versiones 4.7 y 5, está afectado por un fallo de escalada de privilegios basada en roles. Un atacante con grupo EVM-Operador puede llevar a cabo acciones restringidas solo para el grupo EVM-Super-administrador, conlleva a, exportar o importar archivos de administrador A role-based privileges escalation flaw was found in Red Hat CloudForms where export or import of administrator files was possible. An attacker with EVM-Operator group can perform actions restricted only to system administrator. Refer CVE-2020-25716 for remaining RBAC group fixes. • https://access.redhat.com/security/cve/cve-2020-10783 https://bugzilla.redhat.com/show_bug.cgi?id=1847811 https://access.redhat.com/security/cve/CVE-2020-10783 • CWE-284: Improper Access Control •
CVE-2020-10778 – CloudForms: Business logic bypass through widgets
https://notcve.org/view.php?id=CVE-2020-10778
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business logic flaw violate the expected behavior. En Red Hat CloudForms versiones 4.7 y 5, los widgets de solo lectura pueden ser editados inspeccionando los formularios y eliminando el atributo deshabilitado desde los campos, ya que no existe comprobación del lado del servidor. Este fallo de lógica de negocios viola el comportamiento esperado A business logic flaw was found in Red Hat CloudForms where the read-only values of the Widgets could be altered. An attacker with low privileges could bypass server-side validation by dropping the disabled attribute from the fields. • https://access.redhat.com/security/cve/cve-2020-10778 https://bugzilla.redhat.com/show_bug.cgi?id=1847628 https://access.redhat.com/security/cve/CVE-2020-10778 • CWE-669: Incorrect Resource Transfer Between Spheres CWE-863: Incorrect Authorization •
CVE-2020-14296 – CloudForms: Server-Side Request Forgery (SSRF) in Ansible Tower Provider
https://notcve.org/view.php?id=CVE-2020-14296
Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal network which are not normally accessible. Red Hat CloudForms versiones 4.7 y 5, era vulnerable a un fallo de tipo Server-Side Request Forgery (SSRF). Con el acceso para agregar el proveedor de Ansible Tower, un atacante podría escanear y atacar sistemas desde la red interna que normalmente no son accesibles A Server-Side Request Forgery flaw was found in Red Hat CloudForms where malicious requests can be sent from the vulnerable server. An attacker with the privileges to add Ansible Tower provider could inject URLs with port details or with internal IPs to observe internal network. • https://access.redhat.com/security/cve/cve-2020-14296 https://bugzilla.redhat.com/show_bug.cgi?id=1847860 https://access.redhat.com/security/cve/CVE-2020-14296 • CWE-918: Server-Side Request Forgery (SSRF) •