{"containers": {"cna": {"affected": [{"product": "cfme", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-11-30T00:00:00", "descriptions": [{"lang": "en", "value": "A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-11-01T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402"}, {"name": "94612", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94612"}, {"name": "RHSA-2016:2839", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2839.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:00:59.994Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402"}, {"name": "94612", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94612"}, {"name": "RHSA-2016:2839", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2839.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-5402", "datePublished": "2018-10-31T13:00:00", "dateReserved": "2016-06-10T00:00:00", "dateUpdated": "2024-08-06T01:00:59.994Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:cloudforms:4.1:*:*:*:*:*:*:*", "matchCriteriaId": "BF303B35-7EBD-44D3-90FB-2B6295FCEB86", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.6:*:*:*:*:*:*:*", "matchCriteriaId": "1480D433-1DF4-4A5D-A098-E55515133DE8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as."}, {"lang": "es", "value": "Se ha encontrado un error de inyecci\u00f3n de c\u00f3digo en la forma en la que se procesan los archivos de control de capacidad y utilizaci\u00f3n importados. Un atacante autenticado remoto con acceso a la caracter\u00edstica de capacidad y utilizaci\u00f3n podr\u00eda emplear este error para ejecutar c\u00f3digo arbitrario como el usuario como el que se ejecuta CFME."}], "id": "CVE-2016-5402", "lastModified": "2024-11-21T02:54:14.663", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-31T13:29:00.443", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2839.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94612"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2839.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94612"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5402"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Simon Lukasik (Red Hat).", "affected_release": [{"advisory": "RHSA-2016:2839", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.6::el7", "package": "cfme-0:5.6.3.3-1.el7cf", "product_name": "CloudForms Management Engine 5.6", "release_date": "2016-11-30T00:00:00Z"}, {"advisory": "RHSA-2016:2839", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.6::el7", "package": "cfme-appliance-0:5.6.3.3-1.el7cf", "product_name": "CloudForms Management Engine 5.6", "release_date": "2016-11-30T00:00:00Z"}, {"advisory": "RHSA-2016:2839", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.6::el7", "package": "cfme-gemset-0:5.6.3.3-1.el7cf", "product_name": "CloudForms Management Engine 5.6", "release_date": "2016-11-30T00:00:00Z"}, {"advisory": "RHSA-2016:2839", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.6::el7", "package": "freeipmi-0:1.5.1-2.el7cf", "product_name": "CloudForms Management Engine 5.6", "release_date": "2016-11-30T00:00:00Z"}], "bugzilla": {"description": "cfme: RCE via Capacity & Utilization feature", "id": "1357559", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1357559"}, "csaw": false, "cvss": {"cvss_base_score": "8.5", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "status": "verified"}, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.", "A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as."], "name": "CVE-2016-5402", "package_state": [{"cpe": "cpe:/a:cloudforms_managementengine:5.5", "fix_state": "Will not fix", "package_name": "cfme", "product_name": "CloudForms Management Engine 5.5"}], "public_date": "2016-11-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-5402\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5402"], "threat_severity": "Important"}