Description
A out of band OS command injection vulnerability was found in ManageIQ. An authenticated malicious attacker could execute arbitrary commands on the server by sending a specially crafted request. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Acknowledgements
Red Hat would like to thank Sruthi M (IBM) and Pravat Kumar Sahoo (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14324
Details
A user could send a malicious payload to /api/conversion_hosts via the "auth_user" key. This payload would then be executed on the appliance directly without being properly escaped. This vector has already been fixed in jansa or greater and only exists in ivanchuk.
Fixed in ivanchuk-7
Description
A out of band OS command injection vulnerability was found in ManageIQ. An authenticated malicious attacker could execute arbitrary commands on the server by sending a specially crafted request. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Acknowledgements
Red Hat would like to thank Sruthi M (IBM) and Pravat Kumar Sahoo (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14324
Details
A user could send a malicious payload to
/api/conversion_hostsvia the"auth_user"key. This payload would then be executed on the appliance directly without being properly escaped. This vector has already been fixed in jansa or greater and only exists in ivanchuk.Fixed in ivanchuk-7