CVE-2016-7071
moderate-risk
Published 2018-09-10
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
Do I need to act?
-
0.47% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (4)
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2016-2091.html
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2016-2091.html
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071
39
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
2/34 · Minimal
Exposure
7/34 · Low