Moderate: Red Hat Security Advisory: CloudForms 4.6.9 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Low: Red Hat Bug Fix Advisory: CloudForms 4.7.1 bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller M...

Moderate: Red Hat Security Advisory: CloudForms 4.6.8 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Moderate: Red Hat Security Advisory: CloudForms 4.7 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...

Privilege Escalation

cfme-gemset is vulnerable to privilege escalation attacks. The vulnerability exists as a flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC VMWare Remote Console functions that may not be appropriate fo...

Information Disclosure

ovirt-ansible-roles is vulnerable to information disclosure attacks. The vulnerability exists as ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing nolog directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin...

Cross-site Scripting (XSS)

cloudforms is vulnerable to cross-site scripting XSS attacks. The vulnerability exists as a flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute...

Information Disclosure

cfme is vulnerable to information disclosure attacks. The vulnerability exists as a flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to...

Man-in-the-Middle (MitM)

cloudforms is vulnerable to man-in-the-middle attack. It includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time, however if an attacker were able to man-in-the-middle an administrator while installing the new certificate the attacker could get a co...

CSRF Bypass

cfme is vulnerable to CSRF bypass attacks. The vulnerability exists as a number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protectfromforgery CSRF protection...

Privilege Escalation

cfme is vulnerable to privilege escalation attacks. The vulnerability exists as a logic error in validrole in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. This would allow an...

Code Injection

Red Hat CloudForms Management Engine is vulnerable to a code injection. It is due to the flaw in the way capacity and utilization imported control files are processed, allowing anyone with access to the capacity and utilization feature to execute arbitrary code as the user CFME runs as...

Privilege Escalation

cfme is vulnerable to privilege escalation attacks. The vulnerability exists as it was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on...

Remote Code Execution (RCE)

cfme is vulnerable to remote code execution RCE attacks. The vulnerability exists as the web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of field filters."...

Privilege Escalation

cfme is vulnerable to privilege escalation. A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated,...

Privilege Escalation

cfme is vulnerable to privilege escalation attacks. The vulnerability exists as Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request...

Authentication Bypass

katello is vulnerable to authentication bypass attacks. The vulnerability exists as the installation script in Katello 1.0 and earlier does not properly generate the Application.config.secrettoken value, which causes each default installation to have the same secret token, and allows remote...

Cross-site Request Forgery (CSRF)

CloudForms Management Engine is vulnerable to cross-site request forgery CSRF. A remote attacker is able to bypass the Ruby on Rails protectfromforgery mechanism by sending a GET request for a destructive action...

Information Disclosure

Pulp in Red Hat CloudForms is susceptible to information disclosure. The vulnerability exists because it leaks administrative passwords by logging into a world log file. This vulnerability can be deployed locally...

Important: Red Hat Security Advisory: CloudForms 4.6.6 security, bug fix and enhancement update

An update is now available for CloudForms Management Engine 5.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE...