CVE-2014-7814

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-7814
SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter.

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2015-0028.html Vendor Advisory
http://secunia.com/advisories/62255
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:cloudforms_3.1_management_engine:5.3:*:*:*:*:*:*:*
History

13 Feb 2023, 00:42

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-7814', 'name': 'https://access.redhat.com/security/cve/CVE-2014-7814', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:0028', 'name': 'https://access.redhat.com/errata/RHSA-2015:0028', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1157881', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1157881', 'tags': [], 'refsource': 'MISC'}
Summary It was found that CloudForms 4 exposed SQL filters via the REST API without any input escaping. An authenticated user could use this flaw to perform SQL injection attacks against the CloudForms Management Engine database. SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter.

02 Feb 2023, 16:16

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-7814 -
  • (MISC) https://access.redhat.com/errata/RHSA-2015:0028 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1157881 -
Summary SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. It was found that CloudForms 4 exposed SQL filters via the REST API without any input escaping. An authenticated user could use this flaw to perform SQL injection attacks against the CloudForms Management Engine database.
Information

Published : 2015-01-16 16:59

Updated : 2023-12-10 11:31

NVD link : CVE-2014-7814

Mitre link : CVE-2014-7814

CVE.ORG link : CVE-2014-7814

JSON object : View

Products Affected

redhat

  • cloudforms_3.1_management_engine
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')