{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_vex", "csaf_version": "2.0", "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "title": "X-Forwarded-For header allows internal servers to deploy other systems (using callback)", "tracking": { "current_release_date": "2026-05-07T12:58:06+00:00", "generator": { "date": "2026-05-07T12:58:06+00:00", "engine": { "name": "CSAF Generator", "version": "2.0.1" } }, "id": "CVE-2017-7528", "initial_release_date": "2017-06-07T00:00:00+00:00", "revision_history": [ { "date": "2026-05-07T12:58:06+00:00", "number": "1", "summary": "Last generated version" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "category": "vendor", "name": "Red Hat", "branches": [ { "category": "product_name", "name": "Red Hat CloudForms unspecified", "product": { "name": "Red Hat CloudForms unspecified", "product_id": "cfme-5", "product_identification_helper": { "cpe": "cpe:/a:redhat:cloudforms_managementengine:5" } } }, { "category": "product_version", "name": "cfme", "product": { "name": "cfme", "product_id": "cfme.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme?arch=src" } } } ] } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cfme.src as a component of Red Hat CloudForms unspecified", "product_id": "cfme-5:cfme.src" }, "product_reference": "cfme.src", "relates_to_product_reference": "cfme-5" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-7528", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" }, "discovery_date": "2017-06-07T00:00:00+00:00", "notes": [ { "category": "description", "text": "Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).", "title": "Vulnerability description" } ], "product_status": { "under_investigation": [ "cfme-5:cfme.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-7528" }, { "category": "external", "summary": "nvd.nist.gov", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7528" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2017-7528" } ], "scores": [ { "cvss_v3": { "version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "baseScore": 5.2, "baseSeverity": "MEDIUM" }, "products": [ "cfme-5:cfme.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate", "product_ids": [ "cfme-5:cfme.src" ] } ], "title": "X-Forwarded-For header allows internal servers to deploy other systems (using callback)" } ] }