{"containers": {"cna": {"affected": [{"product": "CloudForms", "vendor": "n/a", "versions": [{"status": "affected", "version": "4.7 and 5"}]}], "descriptions": [{"lang": "en", "value": "Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms."}], "problemTypes": [{"descriptions": [{"description": "Improper Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T12:40:35", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2020-10779"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10779", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudForms", "version": {"version_data": [{"version_value": "4.7 and 5"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647"}, {"name": "https://access.redhat.com/security/cve/cve-2020-10779", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/cve-2020-10779"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:15.372Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2020-10779"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10779", "datePublished": "2020-08-11T12:40:35", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:15.372Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "96219412-BF5F-408D-911B-8545D409A297", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms."}, {"lang": "es", "value": "Red Hat CloudForms versiones 4.7 y 5, conlleva a una referencia directa a objeto no segura (IDOR) y a una omisi\u00f3n de control de acceso de nivel funcional debido a una falta de comprobaci\u00f3n de privilegios. Por lo tanto, si un atacante conoce los criterios correctos, es posible acceder a algunos datos confidenciales dentro de CloudForms"}], "id": "CVE-2020-10779", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T13:15:12.087", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2020-10779"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3358", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "impact": "important", "package": "cfme-gemset-0:5.11.7.3-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-08-06T00:00:00Z"}], "bugzilla": {"description": "CloudForms: Missing functional level access control & IDOR lead to compromise", "id": "1847647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847647"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "status": "verified"}, "cwe": "CWE-284", "details": ["Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right criteria, it is possible to access some sensitive data within the CloudForms.", "A flaw was found in Red Hat CloudForms where sensitive data would have been possibly leaked for other existing roles. An attacker with low privilege could make use of EVM-Admin API if certain criteria is met since there was no privilege check on feature."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2020-10779", "public_date": "2020-08-03T13:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10779\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10779"], "threat_severity": "Important", "upstream_fix": "cfme-gemset 5.11.7.1"}