CVE-2014-0057: Code Injection
First published: Wed Feb 12 2014(Updated: )
Jan Rusnacko of the Red Hat Product Security Team reports: CFME contains an unsafe invocation of send method on user-supplied argument. This issue is reported by Brakeman as problem in ServiceController method x_button: vmdb/app/controllers/service_controller.rb 16 def x_button 17 @explorer = true 18 model, action = pressed2model_action(params[:pressed]) 19 @sb[:action] = action 20 if ["ownership","tag"].include?(action) 21 self.send(params[:pressed],"Service") 22 else 23 self.send(params[:pressed]) 24 end Assuming pressed2model_action sanitizes user input, this look like false-positive. However, pressed2model_action does not do sanitization, and only splits string on underscore: def pressed2model_action(pressed) pressed =~ /^(vm_vdi|miq_template)_(.*)$/ ? [$1, $2] : pressed.split('_', 2) end If action parsed from user-supplied input is neither "ownership", nor "tag", else branch is executed and client can execute arbitrary method on controller, including private.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat CloudForms | =3.0 | |
| Red Hat CloudForms Management Engine | =5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0057
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat cloudforms
- version/red hat cloudforms/3.0
- canonical/red hat cloudforms management engine
- version/red hat cloudforms management engine/5.2