Published: 2019-09-05 | Updated: 2019-09-05
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
CVE ID
CVE-2019-11358CVE-2018-10854
CWE ID
CWE-400CWE-79
Exploitation vector
Network
Public exploit
Public exploit code for vulnerability #1 is available.
Vulnerable software
CloudForms Subscribe
Vendor
Red Hat Inc.
Security Advisory
1) Prototype pollution
Severity: Low
CVSSv3: 4.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C] [PCI]
CVE-ID: CVE-2019-11358
CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to prototype pollution. A remote attacker can trick the extend function can into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
CloudForms: 4.7.9
CPE
External links
https://access.redhat.com/errata/RHSA-2019:2587
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote ..
Support the originator by clicking the read the rest link below.