CVE-2014-3642

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3642
vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2014-1317.html Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1092894
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:cloudforms_3.0.1_management_engine:5.2.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_3.0.2_management_engine:5.2.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_3.0.3_management_engine:5.2.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_3.0.4_management_engine:5.2.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_3.0.5_management_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*
History

13 Feb 2023, 00:41

Type Values Removed Values Added
Summary It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation. vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:1317', 'name': 'https://access.redhat.com/errata/RHSA-2014:1317', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-3642', 'name': 'https://access.redhat.com/security/cve/CVE-2014-3642', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/errata/RHSA-2014:1317 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-3642 -
Summary vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.
Information

Published : 2014-10-06 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-3642

Mitre link : CVE-2014-3642

CVE.ORG link : CVE-2014-3642

JSON object : View

Products Affected

redhat

  • cloudforms_3.0.4_management_engine
  • cloudforms_3.0.2_management_engine
  • cloudforms_3.0.1_management_engine
  • cloudforms_3.0.5_management_engine
  • cloudforms_3.0.3_management_engine
  • cloudforms_3.0_management_engine
CWE
CWE-264

Permissions, Privileges, and Access Controls