Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cloudforms
(Redhat)Repositories |
• https://github.com/paramiko/paramiko
• https://github.com/sinatra/sinatra |
#Vulnerabilities | 48 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2018-02-09 | CVE-2018-1053 | In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is... | Ubuntu_linux, Debian_linux, Postgresql, Cloudforms | 7.0 | ||
2018-07-26 | CVE-2017-7530 | In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). | Cloudforms, Cloudforms_management_engine | 8.8 | ||
2018-07-26 | CVE-2017-2664 | CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. | Cloudforms, Cloudforms_management_engine | 6.5 | ||
2018-07-27 | CVE-2017-2632 | A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. | Cloudforms, Cloudforms_management_engine | 4.9 | ||
2018-07-27 | CVE-2017-12148 | A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. | Ansible_tower, Cloudforms | 7.2 | ||
2014-02-20 | CVE-2014-0081 | Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. | Opensuse, Opensuse, Cloudforms, Enterprise_linux, Rails, Ruby_on_rails | N/A | ||
2018-05-31 | CVE-2018-11627 | Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | Cloudforms, Sinatra | 6.1 | ||
2016-08-26 | CVE-2016-5383 | The web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of field filters." | Cloudforms | 8.8 | ||
2017-06-08 | CVE-2016-4471 | ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. | Cloudforms | 8.8 | ||
2014-01-23 | CVE-2013-6443 | CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. | Cloudforms, Cloudforms_3\.0_management_engine | N/A |