ovirt-engine-reports: js-jboss7-ds.xml is world-readable

The Red Hat Enterprise Virtualization Manager reports rhevm-reports package before 3.3.3-1 uses world-readable permissions on the datasource configuration file js-jboss7-ds.xml, which allows local users to obtain sensitive information by reading the file...

Important: Red Hat Security Advisory: rhevm-spice-client security update

Updated rhevm-spice-client packages that fix multiple security issues are now available for Red Hat Enterprise Virtualization Manager 3. The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give...

Code injection

The remote-viewer in Red Hat Enterprise Virtualization Manager RHEV-M before 3.3, when using a native SPICE client invocation method, initially makes insecure connections to the SPICE server, which allows man-in-the-middle attackers to spoof the SPICE server...

Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection

This module exploits a SQL injection vulnerability in the "explorer" action of "miqpolicy" controller of the Red Hat CloudForms Management Engine 5.1 ManageIQ Enterprise Virtualization Manager 5.0 and earlier by changing the password of the target account to the specified password. This module...

Moderate: Red Hat Security Advisory: rhev 3.2.2 - vdsm security and bug fix update

Updated vdsm packages that fix one security issue and various bugs are now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available from the C...

CVE-2013-2144

Red Hat Enterprise Virtualization Manager RHEVM before 3.2 does not properly check permissions for the target storage domain, which allows attackers to cause a denial of service disk space consumption by cloning a VM from a snapshot...

Moderate: Red Hat Security Advisory: Red Hat Enterprise Virtualization Manager 3.2 update

Red Hat Enterprise Virtualization Manager 3.2 is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available from the CVE link in the...

CVE-2013-0168

The MoveDisk command in Red Hat Enterprise Virtualization Manager RHEV-M 3.1 and earlier does not properly check permissions on storage domains, which allows remote authenticated storage admins to cause a denial of service free space consumption of other storage domains via unspecified vectors...

CVE-2012-6115

The domain management tool rhevm-manage-domains in Red Hat Enterprise Virtualization Manager RHEV-M 3.1 and earlier, when the validate action is enabled, logs the administrative password to a world-readable log file, which allows local users to obtain sensitive information by reading this file...

CVE-2012-6115

CVE-2012-6115 affects Red Hat Enterprise Virtualization Manager (RHEV-M) domain management tool: when using rhevm-manage-domains -action=validate on RHEV-M 3.1 and earlier, the administrative password is logged to a world-readable log file. This enables a local attacker to obtain sensitive inform...

[SECURITY] Fedora 17 Update: vdsm-4.10.0-13.fc17

The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and monitors the host's storage, memory and networks as well as virtual machine creation, other host administration tasks, statistics gathering, and log collection...

rhev-m: insufficient MoveDisk target domain permission checks

The MoveDisk command in Red Hat Enterprise Virtualization Manager RHEV-M 3.1 and earlier does not properly check permissions on storage domains, which allows remote authenticated storage admins to cause a denial of service free space consumption of other storage domains via unspecified vectors...

Moderate: Red Hat Security Advisory: rhevm 3.1.2 security and bug fix update

Updated rhevm packages that fix two security issues and various bugs are now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each...

CVE-2012-0860

Multiple untrusted search path vulnerabilities in Red Hat Enterprise Virtualization Manager RHEV-M before 3.1, when adding a host, allow local users to gain privileges via a Trojan horse 1 deployUtil.py or 2 vdsbootstrap.py Python module in /tmp/...

CVE-2012-0861

The vdsinstaller in Red Hat Enterprise Virtualization Manager RHEV-M before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vdsbootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via...

Cross site request forgery (csrf)

The backend in Red Hat Enterprise Virtualization Manager RHEV-M before 3.1 does not properly check privileges, which allows remote authenticated users to query arbitrary information via a 1 SOAP or 2 GWT request...

Code injection

The vdsinstaller in Red Hat Enterprise Virtualization Manager RHEV-M before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vdsbootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via...

Information disclosure

Red Hat Enterprise Virtualization Manager RHEV-M before 3.1, when moving disks between storage domains, does not properly wipe-after-delete, which prevents disks from being securely deleted and might allow local users to obtain sensitive information via unspecified vectors...

CVE-2012-0861

The vdsinstaller in Red Hat Enterprise Virtualization Manager RHEV-M before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vdsbootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via...

CVE-2012-0861

The CVE-2012-0861 issue affects Red Hat Enterprise Virtualization Manager (RHEV-M) prior to version 3.1. During host addition, the vds_installer downloads deployUtil.py and vds_bootstrap.py with curl -k, skipping SSL certificate validation. This MITM condition lets an attacker on the local networ...