Description
A flaw was found in ManageIQ where a malicious payload could be given to Policy import which could run arbitrary code.
Mitigation
If possible, restrict users, via RBAC, to only the part of the application that they need access to. By default, policy import is only available to admins.
At this time there are no workarounds outside of directly patching with the fixed code, so it is recommended to upgrade immediately to a patched version.
Acknowledgements
ManageIQ would like to thank Divyesh Prajapati for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2024-43191
Details
Fixed in quinteros-2
divyesh-0x01 Finder
Fryguy Remediation developer
Description
A flaw was found in ManageIQ where a malicious payload could be given to Policy import which could run arbitrary code.
Mitigation
If possible, restrict users, via RBAC, to only the part of the application that they need access to. By default, policy import is only available to admins.
At this time there are no workarounds outside of directly patching with the fixed code, so it is recommended to upgrade immediately to a patched version.
Acknowledgements
ManageIQ would like to thank Divyesh Prajapati for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2024-43191
Details
Fixed in quinteros-2