CVE-2014-0140
CFME: default routes expose controllers and actions
Severity Score
4.0
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.
Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados acceder a controladores y acciones sensibles a través de una solicitud HTTP o HTTPS directa.
It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP(S) requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-12-03 CVE Reserved
- 2014-10-03 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-749: Exposed Dangerous Method or Function
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1317.html | 2023-02-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1077359 | 2014-10-02 | |
| https://access.redhat.com/security/cve/CVE-2014-0140 | 2014-10-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Cloudforms 3.0.1 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" | 5.2.1 Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" and version "5.2.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.2 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" | 5.2.2 Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" and version "5.2.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.3 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" | 5.2.3 Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" and version "5.2.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.4 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" | 5.2.4 Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" and version "5.2.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.5 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" | <= 5.2.5 Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" and version " <= 5.2.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" | 5.2 Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" and version "5.2" | - |
Affected
| ||||||