OpenCVE

Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Cloudforms Cloudforms Managementengine

Configuration 1 [-]

cpe:2.3:a:redhat:cloudforms:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
CloudForms Management Engine 5.10
cfme-appliance-0:5.10.16.0-1.el7cf	cpe:/a:redhat:cloudforms_managementengine:5.10::el7	RHSA-2020:3574	2020-08-27T00:00:00Z
CloudForms Management Engine 5.11
cfme-0:5.11.7.3-1.el8cf	cpe:/a:redhat:cloudforms_managementengine:5.11::el8	RHSA-2020:3358	2020-08-06T00:00:00Z

References

Link	Providers
https://access.redhat.com/security/cve/cve-2020-14325
https://bugzilla.redhat.com/show_bug.cgi?id=1855739
https://github.com/ManageIQ/manageiq/security/advisories/GHSA-84f5-5g5v-g8vr
https://nvd.nist.gov/vuln/detail/CVE-2020-14325
https://www.cve.org/CVERecord?id=CVE-2020-14325

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-08-11T12:49:44

Updated: 2024-08-04T12:39:36.480Z

Reserved: 2020-06-17T00:00:00

Link: CVE-2020-14325

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-08-11T13:15:12.367

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-14325

Redhat

Severity : Critical

Publid Date: 2020-08-03T13:30:00Z

Links: CVE-2020-14325 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "CloudForms", "vendor": "n/a", "versions": [{"status": "affected", "version": "cfme 5.11.7.0"}]}], "descriptions": [{"lang": "en", "value": "Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator."}], "problemTypes": [{"descriptions": [{"description": "Improper Authorization", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T12:49:44", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2020-14325"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14325", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CloudForms", "version": {"version_data": [{"version_value": "cfme 5.11.7.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739"}, {"name": "https://access.redhat.com/security/cve/cve-2020-14325", "refsource": "MISC", "url": "https://access.redhat.com/security/cve/cve-2020-14325"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.480Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2020-14325"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14325", "datePublished": "2020-08-11T12:49:44", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.480Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:*:*:*:*:*:*:*:*", "matchCriteriaId": "973CD398-5551-46DC-873D-374334918A4C", "versionEndExcluding": "5.11.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator."}, {"lang": "es", "value": "Red Hat CloudForms versiones anteriores a 5.11.7.0, era vulnerable a un fallo de autorizaci\u00f3n de Suplantaci\u00f3n de Usuario que permite a un atacante malicioso crear un usuario de control de acceso basado en roles existente y no existente, con grupos y roles. Con un grupo seleccionado de EvmGroup-super_administrator, un atacante puede llevar a cabo cualquier petici\u00f3n de la API como superadministrador"}], "id": "CVE-2020-14325", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T13:15:12.367", "references": [{"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2020-14325"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Alberto Bellotti (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:3574", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "impact": "critical", "package": "cfme-appliance-0:5.10.16.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2020-08-27T00:00:00Z"}, {"advisory": "RHSA-2020:3358", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.11::el8", "impact": "critical", "package": "cfme-0:5.11.7.3-1.el8cf", "product_name": "CloudForms Management Engine 5.11", "release_date": "2020-08-06T00:00:00Z"}], "bugzilla": {"description": "CloudForms: User Impersonation in the API for OIDC and SAML", "id": "1855739", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1855739"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "status": "verified"}, "cwe": "CWE-285", "details": ["Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with groups and roles. With a selected group of EvmGroup-super_administrator, an attacker can perform any API request as a super administrator.", "A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request."], "mitigation": {"lang": "en:us", "value": "Red Hat recommends upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be:\n1. Stop httpd service\n$ systemctl stop httpd\n2. Add following additional unset at `/etc/httpd/conf.d/manageiq-remote-user-openidc.conf` and `/etc/httpd/conf.d/manageiq-remote-user.conf`, right before `X_REMOTE_USER` unset. \n~~~\nRequestHeader unset X-REMOTE-USER\nRequestHeader unset X-REMOTE_USER\nRequestHeader unset X_REMOTE-USER\n~~~\n3. Validate configuration files to make sure all syntax is valid\n$ apachectl configtest\n4. Restart httpd service\n$ systemctl start httpd"}, "name": "CVE-2020-14325", "public_date": "2020-08-03T13:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14325\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14325\nhttps://github.com/ManageIQ/manageiq/security/advisories/GHSA-84f5-5g5v-g8vr"], "statement": "The vulnerability and related criticality depends on the product releases and protocols. \nIn CloudForms 5.11, attacker need to be authenticated through OIDC but SAML do not need any authentication for exploitation. However, for CloudForms 5.10, both SAML and OIDC protocols does not need authentication and attacker can impersonate users previously logged in.\nRed Hat does not support CloudForms 5.9 and earlier releases, however, confirms vulnerability affects SAML protocol but not OIDC.\nReference metrics: https://bugzilla.redhat.com/show_bug.cgi?id=1855739#c3", "threat_severity": "Critical", "upstream_fix": "cfme 5.11.7.0"}