CVE-2014-0140
CFME: default routes expose controllers and actions
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.
Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados acceder a controladores y acciones sensibles a través de una solicitud HTTP o HTTPS directa.
It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2014-10-03 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-749: Exposed Dangerous Method or Function
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1317.html | 2023-02-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1077359 | 2014-10-02 | |
| https://access.redhat.com/security/cve/CVE-2014-0140 | 2014-10-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Cloudforms 3.0.1 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" | 5.2.1 Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" and version "5.2.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.2 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" | 5.2.2 Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" and version "5.2.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.3 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" | 5.2.3 Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" and version "5.2.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.4 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" | 5.2.4 Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" and version "5.2.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.5 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" | <= 5.2.5 Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" and version " <= 5.2.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" | 5.2 Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" and version "5.2" | - |
Affected
| ||||||