{"containers": {"cna": {"affected": [{"product": "CFME", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-28T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497"}, {"name": "RHSA-2017:1601", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"name": "RHSA-2017:1758", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:11.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497"}, {"name": "RHSA-2017:1601", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"name": "RHSA-2017:1758", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7497", "datePublished": "2018-07-27T15:00:00", "dateReserved": "2017-04-05T00:00:00", "dateUpdated": "2024-08-05T16:04:11.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "886BAA5E-B586-4FE7-88B3-573113E6286A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "0678E212-F06D-403C-9D16-CAF33027019D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant."}, {"lang": "es", "value": "El di\u00e1logo para crear vol\u00famenes de cloud (cinder provider) en CloudForms no filtra a los inquilinos de cloud por usuario. Un atacante con la capacidad de crear vol\u00famenes de almacenamiento podr\u00eda usar esto para crear vol\u00famenes de almacenamiento para cualquier otro inquilino."}], "id": "CVE-2017-7497", "lastModified": "2024-11-21T03:32:01.240", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 0.7, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-27T15:29:00.517", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Gellert Kis (Red Hat).", "affected_release": [{"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-appliance-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-gemset-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "rh-ruby23-rubygem-ovirt-engine-sdk4-0:4.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "ansible-0:2.3.0.0-1.el7", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "ansible-tower-0:3.1.3-1.el7at", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-appliance-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-gemset-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}], "bugzilla": {"description": "CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497", "id": "1450150", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1450150"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-284", "details": ["The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant.", "The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant."], "name": "CVE-2017-7497", "public_date": "2017-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7497\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7497"], "threat_severity": "Moderate"}