{"containers": {"cna": {"affected": [{"product": "CloudForms", "vendor": "n/a", "versions": [{"status": "affected", "version": "cfme 5.11.7.0"}]}], "descriptions": [{"lang": "en", "value": "A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server."}], "problemTypes": [{"descriptions": [{"description": "OS Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T13:19:47", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2020-14324"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14324", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudForms", "version": {"version_data": [{"version_value": "cfme 5.11.7.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713"}, {"name": "https://access.redhat.com/security/cve/cve-2020-14324", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/cve-2020-14324"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.479Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2020-14324"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14324", "datePublished": "2020-08-11T13:19:47", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD77E5C7-A9B8-4C86-981C-44FA1DDE7557", "versionEndExcluding": "5.11.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de alta gravedad en todas las versiones activas de Red Hat CloudForms versiones anteriores a 5.11.7.0. La vulnerabilidad de inyecci\u00f3n de comandos del Sistema Operativo fuera de banda puede ser explotada por parte de un atacante autenticado mientras configura el host de conversi\u00f3n por medio de Infrastructure Migration Solution. Este fallo permite a un atacante ejecutar comandos arbitrarios en el servidor de CloudForms"}], "id": "CVE-2020-14324", "lastModified": "2020-08-13T16:46:55.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T14:15:11.617", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2020-14324"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Pravat Kumar Sahoo (IBM) and Sruthi M (IBM) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3574", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "important", "package": "cfme-0:5.10.16.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-08-27T00:00:00Z"}, {"advisory": "RHSA-2020:3358", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "impact": "important", "package": "cfme-0:5.11.7.3-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-08-06T00:00:00Z"}], "bugzilla": {"description": "CloudForms: Out-of-band OS Command Injection through conversion host", "id": "1855713", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855713"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-78", "details": ["A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server.", "An out-of-band OS command injection vulnerability was found in Red Hat CloudForms. An authenticated malicious attacker could execute arbitrary commands on the server by sending a specially crafted request. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2020-14324", "public_date": "2020-08-03T13:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14324\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14324"], "threat_severity": "Important", "upstream_fix": "cfme 5.11.7.0"}