Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-14369

This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. An attacker can make a forgery HTTP request to the server by crafting custom flash file which can force the user to perform state changing requests like provisioning VMs, running ansible playbooks and so forth.

Published

2020-12-02T15:15:12.313

Last Modified

2024-11-21T05:03:06.627

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-352
Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	cloudforms	≤ 5.11	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1871921 Issue Tracking, Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1871921 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)