{"containers": {"cna": {"affected": [{"product": "CloudForms", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "5.10"}, {"status": "affected", "version": "5.11"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "description": "CWE-78", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-06-22T17:53:52", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14894"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.132Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14894"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14894", "datePublished": "2020-06-22T17:53:52", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.132Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.10:*:*:*:*:*:*:*", "matchCriteriaId": "BFB7DD21-9B04-4943-ADD1-F2D1EB517686", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.11:*:*:*:*:*:*:*", "matchCriteriaId": "1CDCF299-40B9-40B5-8398-FF25F9A071EA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en el motor de administraci\u00f3n de CloudForms versi\u00f3n 5.10 y la administraci\u00f3n de CloudForms versi\u00f3n 5.11, que desencaden\u00f3 una ejecuci\u00f3n de c\u00f3digo  remota por medio de la copia de seguridad de la programaci\u00f3n NFS. Un atacante que haya iniciado sesi\u00f3n en la consola de administraci\u00f3n podr\u00eda usar este fallo para ejecutar comandos de shell arbitrarios en el servidor de CloudForms como root"}], "id": "CVE-2019-14894", "lastModified": "2024-11-21T04:27:37.830", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-22T18:15:10.900", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14894"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14894"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Jaroslav Henner (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:0589", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-0:5.10.15.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0589", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-amazon-smartstate-0:5.10.15.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0589", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-appliance-0:5.10.15.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0589", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-gemset-0:5.10.15.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0588", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "package": "cfme-0:5.11.3.1-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0588", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "package": "cfme-amazon-smartstate-0:5.11.3.1-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0588", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "package": "cfme-appliance-0:5.11.3.1-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-02-25T00:00:00Z"}, {"advisory": "RHSA-2020:0588", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "package": "cfme-gemset-0:5.11.3.1-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-02-25T00:00:00Z"}], "bugzilla": {"description": "CloudForms: RCE vulnerability in NFS schedule backup", "id": "1769411", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1769411"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20->CWE-78", "details": ["A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root.", "A flaw was found in the CloudForms management engine, which triggered remote code execution through NFS schedule backup. An attacker logged into the management console could use this flaw to execute arbitrary shell commands on the CloudForms server as root."], "name": "CVE-2019-14894", "public_date": "2020-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14894\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14894"], "threat_severity": "Important"}