Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cloudforms_management_engine
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 42 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-12-15 | CVE-2014-3536 | CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration | Cloudforms_management_engine | N/A | ||
| 2018-07-24 | CVE-2018-10905 | CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. | Cloudforms, Cloudforms_management_engine | 7.8 | ||
| 2018-07-26 | CVE-2017-7530 | In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). | Cloudforms, Cloudforms_management_engine | 8.8 | ||
| 2018-08-22 | CVE-2017-7528 | Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). | Ansible_tower, Cloudforms_management_engine | 6.5 | ||
| 2018-07-26 | CVE-2017-2664 | CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. | Cloudforms, Cloudforms_management_engine | 6.5 | ||
| 2018-07-27 | CVE-2017-2632 | A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. | Cloudforms, Cloudforms_management_engine | 4.9 | ||
| 2018-07-27 | CVE-2017-15125 | A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. | Cloudforms_management_engine | 5.4 | ||
| 2019-06-12 | CVE-2017-15123 | A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines. | Cloudforms_management_engine | 5.3 | ||
| 2016-10-07 | CVE-2016-7040 | Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections. | Cloudforms_management_engine | 8.8 | ||
| 2017-04-21 | CVE-2016-3702 | Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. | Cloudforms_management_engine | 5.3 |