CVE-2016-7071
First published: Mon Sep 10 2018(Updated: )
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Cloudforms Management Engine | <5.6.2.2 | |
| Redhat Cloudforms Management Engine | >=5.7.0.0<5.7.0.7 | |
| Redhat Cloudforms | =4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2016-7071?
CVE-2016-7071 is a vulnerability found in CloudForms before versions 5.6.2.2 and 5.7.0.7 that allows a remote attacker to execute arbitrary virtual machines on systems managed by CloudForms.
How severe is CVE-2016-7071?
CVE-2016-7071 has a severity rating of 8.8 (Critical).
What is the affected software for CVE-2016-7071?
The affected software for CVE-2016-7071 is Redhat Cloudforms Management Engine versions up to 5.6.2.2 and versions 5.7.0.0 to 5.7.0.7, as well as Redhat Cloudforms version 4.1.
How does CVE-2016-7071 work?
CVE-2016-7071 occurs when CloudForms does not properly apply permissions controls to VM IDs passed by users, allowing a remote authenticated attacker to execute arbitrary virtual machines by knowing the ID of the VM.
Are there any references for CVE-2016-7071?
Yes, you can find references for CVE-2016-7071 at the following links: http://rhn.redhat.com/errata/RHSA-2016-2091.html, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7071
- collector/nvd-index
- vendor/redhat
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.7.0.0
- canonical/redhat cloudforms
- version/redhat cloudforms/4.1