{"containers": {"cna": {"affected": [{"product": "cfme", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "5.8.1.2"}, {"status": "affected", "version": "5.7.3.1"}, {"status": "affected", "version": "5.6.3.0"}]}], "datePublic": "2017-06-28T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-09-12T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2017:1601", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"name": "RHSA-2017:1758", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047"}, {"name": "99329", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99329"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-7047", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cfme", "version": {"version_data": [{"version_value": "5.8.1.2"}, {"version_value": "5.7.3.1"}, {"version_value": "5.6.3.0"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access."}]}, "impact": {"cvss": [[{"vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}], [{"vectorString": "3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:1601", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"name": "RHSA-2017:1758", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047"}, {"name": "99329", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99329"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:50:47.351Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:1601", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"name": "RHSA-2017:1758", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047"}, {"name": "99329", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99329"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-7047", "datePublished": "2018-09-11T13:00:00", "dateReserved": "2016-08-23T00:00:00", "dateUpdated": "2024-08-06T01:50:47.351Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.2:*:*:*:*:*:*:*", "matchCriteriaId": "CF5B1692-9199-4352-9BAA-423C8424B227", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*", "matchCriteriaId": "32E1BA91-4695-4E64-A9D7-4A6CB6904D41", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BACC9D2-860C-4B3F-82A5-E6E1B95863B9", "versionEndExcluding": "5.6.3.0", "versionStartIncluding": "5.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0E6CAF2-89BD-425F-AF95-B2CF0632387F", "versionEndExcluding": "5.7.3.1", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "BEBEBA16-45FA-4213-A801-D4FD52D1B965", "versionEndExcluding": "5.8.1.2", "versionStartIncluding": "5.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access."}, {"lang": "es", "value": "Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podr\u00eda ver datos de otros inquilinos o grupos a los que no deber\u00eda tener acceso."}], "id": "CVE-2016-7047", "lastModified": "2024-11-21T02:57:21.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-11T13:29:00.590", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99329"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99329"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1601"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Simon Lukasik (Red Hat).", "affected_release": [{"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-appliance-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "cfme-gemset-0:5.7.3.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1601", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.7::el7", "package": "rh-ruby23-rubygem-ovirt-engine-sdk4-0:4.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.7", "release_date": "2017-06-28T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "ansible-0:2.3.0.0-1.el7", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "ansible-tower-0:3.1.3-1.el7at", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-appliance-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "cfme-gemset-0:5.8.1.5-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}, {"advisory": "RHSA-2017:1758", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package": "rh-ruby23-rubygem-nokogiri-0:1.7.2-1.el7cf", "product_name": "CloudForms Management Engine 5.8", "release_date": "2017-08-02T00:00:00Z"}], "bugzilla": {"description": "cfme: API leaks any MiqReportResult", "id": "1374215", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1374215"}, "csaw": false, "cvss": {"cvss_base_score": "3.5", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "status": "verified"}, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access.", "A flaw was found in the CloudForms API. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access."], "name": "CVE-2016-7047", "public_date": "2017-06-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-7047\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-7047"], "threat_severity": "Low"}