Moderate: Red Hat Security Advisory: CFME 5.5.0 bug fixes and enhancement update

Updated cfme packages that fix a security issue, several bugs, and add various enhancements are now available for Red Hat CloudForms 4.0. Red Hat Product Security has rated this update as having Moderate Security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed...

CloudForms: insecure password storage in PostgreSQL database

A privilege escalation flaw was discovered in CloudForms, where in certain situations, CloudForms could read encrypted data from the database and then write decrypted data back into the database. If the database was then exported or log files generated, a local attacker might be able to gain acce...

Moderate: Red Hat Bug Fix Advisory: CFME 5.4.0 bug fixes, and enhancement update

Updated cfme packages that fix several bugs, and add various enhancements are now available for Red Hat CloudForms 3.2. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engin...

Red Hat CloudForms Management Engine SQL Injection Vulnerability

Red Hat CloudForms is hybrid cloud management software from Red Hat. A SQL injection vulnerability in Red Hat CloudForms Management Engine allows attackers to send specially crafted REST API requests to manipulate or obtain database data...

CVE-2014-7814

SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine CFME 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter...

CVE-2014-3692

The customization template in Red Hat CloudForms 3.1 Management Engine CFME 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges...

Default credentials

The customization template in Red Hat CloudForms 3.1 Management Engine CFME 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges...

Sql injection

SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine CFME 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter...

CVE-2014-3692

The customization template in Red Hat CloudForms 3.1 Management Engine CFME 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges...

CVE-2014-7814

CVE-2014-7814 is a SQL injection vulnerability affecting Red Hat CloudForms Management Engine (CFME) 3.1/5.3 (CFME) where an authenticated user can send crafted REST API requests to an SQL filter to execute arbitrary SQL on the CFME database. The issue arises from REST API exposure of SQL filters...

CVE-2014-3692

CVE-2014-3692 affects Red Hat CloudForms 3.1 Management Engine (CFME) 5.3, where the customization template uses a default root password if none is specified for a newly created image, allowing a remote attacker to gain privileges. The connected RHSA-2015:0028 advisory documents the issue as part...

CVE-2014-7814

SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine CFME 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter...

PT-2015-3930 · Red Hat · Red Hat Cloudforms

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms 3.1 Management Engine CFME version 5.3 Description: The issue allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. This can be achieved by sending a malicious...

PT-2015-3735 · Red Hat · Red Hat Cloudforms

Name of the Vulnerable Software and Affected Versions: Red Hat CloudForms 3.1 Management Engine CFME version 5.3 Description: The issue concerns the customization template in Red Hat CloudForms, which uses a default password for the root account when no password is specified for a new image. This...

Important: Red Hat Security Advisory: cfme security, bug fix, and enhancement update

Updated cfme packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat CloudForms 3.1. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detaile...

CFME: REST API SQL Injection

It was found that CloudForms 4 exposed SQL filters via the REST API without any input escaping. An authenticated user could use this flaw to perform SQL injection attacks against the CloudForms Management Engine database...

CFME: default fallback password in customization_templates.yml

It was found that the CloudForms Management Engine customization template used a default root password for newly created images if no root password was specified...

CVE-2014-0136

The 1 get and 2 log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine CFME 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors...

Code injection

The 1 get and 2 log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine CFME 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors...

CVE-2014-0136

CVE-2014-0136 affects Red Hat CloudForms 3.0 Management Engine (CFME) 5.x, where the AgentController’s get and log methods allow remote attackers to insert arbitrary text into log files. The root cause is unsanitized user input written to log files from the AgentController, enabling arbitrary con...