Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Cloudforms_management_engine
(Redhat)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 42 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2018-07-26 | CVE-2017-7530 | In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). | Cloudforms, Cloudforms_management_engine | 8.8 | ||
2018-08-22 | CVE-2017-7528 | Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). | Ansible_tower, Cloudforms_management_engine | 6.5 | ||
2018-07-26 | CVE-2017-2664 | CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. | Cloudforms, Cloudforms_management_engine | 6.5 | ||
2018-07-27 | CVE-2017-2632 | A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an attacker with tenant administration access to elevate privileges. | Cloudforms, Cloudforms_management_engine | 4.9 | ||
2018-07-27 | CVE-2017-15125 | A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP. | Cloudforms_management_engine | 5.4 | ||
2019-06-12 | CVE-2017-15123 | A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated users only. An attacker could use this flaw to view potentially sensitive information from CloudForms including data such as newly created virtual machines. | Cloudforms_management_engine | 5.3 | ||
2016-10-07 | CVE-2016-7040 | Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections. | Cloudforms_management_engine | 8.8 | ||
2017-04-21 | CVE-2016-3702 | Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. | Cloudforms_management_engine | 5.3 | ||
2013-09-28 | CVE-2013-2068 | Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method. | Cloudforms_management_engine | N/A | ||
2018-05-01 | CVE-2013-2049 | Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret. | Cloudforms_management_engine | 7.5 |