CVE-2014-3642
CFME: dangerous send method in performance.rb
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."
vmdb/app/controllers/application_controller/performance.rb en Red Hat CloudForms 3.1 Management Engine (CFME) anterior a 5.3 permite a usuarios remotos autenticados ganar privilegios a través de vectores no especificados, relacionado con un 'método de envió inseguro.'
It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. It was found that Red Hat CloudForms exposed default routes that were reachable via HTTP requests. An authenticated user could use this flaw to access potentially sensitive controllers and actions that would allow for privilege escalation.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2014-10-03 CVE Published
- 2024-08-06 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1317.html | 2023-02-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1092894 | 2014-10-02 | |
| https://access.redhat.com/security/cve/CVE-2014-3642 | 2014-10-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Cloudforms 3.0.1 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" | 5.2.1 Search vendor "Redhat" for product "Cloudforms 3.0.1 Management Engine" and version "5.2.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.2 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" | 5.2.2 Search vendor "Redhat" for product "Cloudforms 3.0.2 Management Engine" and version "5.2.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.3 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" | 5.2.3 Search vendor "Redhat" for product "Cloudforms 3.0.3 Management Engine" and version "5.2.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.4 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" | 5.2.4 Search vendor "Redhat" for product "Cloudforms 3.0.4 Management Engine" and version "5.2.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0.5 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" | <= 5.2.5 Search vendor "Redhat" for product "Cloudforms 3.0.5 Management Engine" and version " <= 5.2.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms 3.0 Management Engine Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" | 5.2 Search vendor "Redhat" for product "Cloudforms 3.0 Management Engine" and version "5.2" | - |
Affected
| ||||||