CVE Vulnerabilities

CVE-2015-7544

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Sep 25, 2017 | Modified: Feb 13, 2023
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
9 HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
RedHat/V2
6.6 IMPORTANT
AV:L/AC:M/Au:S/C:C/I:C/A:C
RedHat/V3
Ubuntu

redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary commands on any host in the RHEV environment.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Enterprise_virtualization_manager Redhat 3.4 (including) 3.4 (including)
Enterprise_virtualization_manager Redhat 3.4.1 (including) 3.4.1 (including)
Enterprise_virtualization_manager Redhat 3.5.0 (including) 3.5.0 (including)
RHEV Manager version 3.6 RedHat redhat-support-plugin-rhev-0:3.6.0-12.el6 *

Potential Mitigations

References