666 matches found
Code injection
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...
CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...
CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...
CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...
CVE-2017-2639
CloudForms Management Engine is affected by CVE-2017-2639, where it does not verify that the server hostname matches the domain name in the certificate when using a custom CA with connections to RHEV/OpenShift. This can allow an attacker to spoof RHEV/OpenShift systems and potentially harvest sen...
PT-2018-8390 · Red Hat · Cloudforms
Name of the Vulnerable Software and Affected Versions: CloudForms affected versions not specified Description: The issue concerns the dialog for creating cloud volumes in CloudForms, specifically with the cinder provider, where it fails to filter cloud tenants by user. This allows an attacker, wh...
PT-2018-7154 · Red Hat · Openshift +2
Name of the Vulnerable Software and Affected Versions: CloudForms affected versions not specified Description: The issue arises from CloudForms not verifying that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RH...
CVE-2017-2664
CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges...
Code injection
CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges...
CVE-2017-2664
CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges...
CVE-2017-2664
CloudForms Management Engine (cfme) is affected by CVE-2017-2664. The issue is a lack of RBAC controls on certain methods in the Rails application, enabling privilege escalation for an attacker with access. Affected versions are cfme before 5.7.3 and 5.8.x before 5.8.1. Red Hat advisories RHSA-20...
CVE-2017-2664
CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges...
Privilege escalation
In CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should n...
CVE-2017-7530
In CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should n...
CVE-2017-7530
In CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should n...
CVE-2017-7530
In CloudForms Management Engine cfme before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should n...
CVE-2017-7530
CVE-2017-7530 affects CloudForms Management Engine (cfme) prior to 5.7.3 and 5.8.x prior to 5.8.1, where privilege checks can be bypassed when API users trigger arbitrary methods via VMs filtered by MiqExpression. This could let an attacker perform disallowed actions (e.g., destroying VMs). The i...
Red Hat CloudForms Management Engine Logic Flaw Vulnerability
The Red Hat CloudForms Management Engine CFME is a management engine for IaaS Infrastructure as a Service cloud services solutions from Red Hat, Inc. A security vulnerability exists in dRuby in Red Hat CFME that stems from a failure to properly configure security settings. An attacker could explo...
CVE-2018-10905
CloudForms Management Engine cfme is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user...
Design/Logic Flaw
CloudForms Management Engine cfme is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user...