CVE-2019-14864

The connected documents confirm CVE-2019-14864 affects Ansible, specifically versions 2.9.x before 2.9.1, 2.8.x before 2.8.7, and 2.7.x before 2.7.15. The root cause is that the no_log flag is not respected when Sumologic and Splunk callback plugins are used to send task results to collectors, le...

CVE-2020-1739

CVE-2020-1739 affects Ansible (2.7.16 and earlier, 2.8.8 and earlier, 2.9.5 and earlier). The flaw arises when a password is supplied to the svn module via the password argument, causing the password to be echoed into the svn command line and readable by other users on the same node by inspecting...

CVE-2019-14905

The CVE-2019-14905 issue affects Ansible Engine’s nxos_file_copy module, where the filename parameter could be crafted to inject OS commands on NXOS devices. This is a local attack with potential confidentiality, integrity, and availability impacts as described (loss of confidentiality, etc.). Af...

CVE-2020-1733

The CVE-2020-1733 entry concerns a race-condition in Ansible Engine when using become_user: Ansible creates the temporary directory in /var/tmp with umask 77 during module execution, and the operation can succeed even if the directory already exists and is owned by another user. An attacker could...

CVE-2020-1735

CVE-2020-1735 is a vulnerability in the Ansible Engine where the fetch module can be intercepted, enabling an attacker to inject a new path and choose a different destination path on the controller. The issue affects all 2.7.x, 2.8.x and 2.9.x branches. Connected advisories confirm multiple vendo...

CVE-2020-1740

CVE-2020-1740 is about Ansible Engine Vault editing: on the same host, ansible-vault edit can expose old/new secrets due to mkstemp/two-step write. Connected documents consistently confirm this vulnerability across multiple distributions (Astra Linux, Debian, Fedora/Red Hat, Alpine, Amazon Linux)...

CVE-2012-6685

Nokogiri prior to 1.5.4 is vulnerable to XML External Entity (XXE) attacks. The issue arises in the XML parsing path (XXE) and is documented under CVE-2012-6685. Exploitation details are not provided beyond the XXE description. Affected software: Nokogiri (Ruby library). Root cause: XXE in XML pr...

CVE-2020-1736

CVE-2020-1736 concerns Ansible Engine where moving a file with atomic_move cannot set the destination file mode. If the destination does not exist, the move can render the new file world-readable; if the file exists, permissions may be loosened before the move, potentially exposing sensitive data...

CVE-2020-1738

CVE-2020-1738 affects Ansible Engine. Root cause: when the module package or service is used and the parameter 'use' is omitted, an attacker with local access can influence which module is sent via the ansible facts file if a prior task ran under a malicious user. Affected: all versions in the 2....

CVE-2019-14894

CVE-2019-14894 affects the CloudForms Management Engine, specifically versions 5.10 and 5.11. The flaw enables remote code execution through the NFS schedule backup mechanism. An attacker who can log into the management console could execute arbitrary shell commands on the CloudForms server with ...

CVE-2018-10905

CVE-2018-10905 affects Red Hat CloudForms Management Engine (cfme) via an improper access control in the dRuby (DRb) component. A local attacker with access to an unprivileged shell can execute arbitrary commands as a highly privileged user (root). The issue is documented across Red Hat advisorie...

CVE-2020-14324

CVE-2020-14324 affects Red Hat CloudForms (cfme) and is described as an Out-of-band OS Command Injection via the conversion host during Infrastructure Migration. Impact: authenticated attacker can execute arbitrary commands on the CloudForms server. Affected software includes CloudForms before 5....

CVE-2017-7497

CVE-2017-7497 affects Red Hat CloudForms (CloudForms Management Engine) where the dialog for creating cloud volumes (cinder provider) fails to filter cloud tenants by user. The underlying issue allows an attacker who can create storage volumes to allocate volumes for other tenants, enabling unaut...

CVE-2014-3536

CVE-2014-3536 affects Red Hat CloudForms Management Engine (CFME) version 5. The vulnerability stems from CFME logging RHN account information to top_output.log during the registration process, leading to potential information disclosure. Multiple connected records corroborate the issue as a disc...

CVE-2018-10854

CloudForms/CloudForms Management Engine is affected by CVE-2018-10854 due to a stored XSS in the Name field within the v2v infrastructure mapping delete feature. Affected versions are CloudForms 5.8 and 5.9. Root cause: improper sanitization of user input in Name leading to stored XSS. Red Hat ad...

CVE-2017-15125

CloudForms is affected by CVE-2017-15125 due to a stored XSS flaw in the self-service UI snapshot feature where the name field is not properly sanitized for HTML/JavaScript input. An attacker could exploit this to execute a stored XSS attack against an application administrator; CSP mitigates the...

CVE-2014-0197

CVE-2014-0197 is a Cross-Site Request Forgery (CSRF) vulnerability in CFME/Red Hat CloudForms Management Engine caused by a permissive check of the referrer header. Affected component is CFME web application; impact is partial confidentiality, integrity, and availability compromises per CVSS 3.1/...

CVE-2017-2632

CVE-2017-2632 affects Red Hat CloudForms Management Engine (CFME) where a logic error in valid_role() could let a tenant administrator create groups with higher privileges. Technical details across connected sources show the issue exists in CFME versions prior to the fixed releases (e.g., CFME 5....

CVE-2019-10177

CloudForms (Red Hat) PDF export module in versions 5.9 and 5.10 is affected by a stored XSS due to unsanitized user input. An attacker with privileges to edit compute can trigger XSS against other users, potentially leading to arbitrary code execution and theft of the higher-privileged user’s ant...

CVE-2016-5402

CVE-2016-5402 affects Red Hat CloudForms Management Engine (CFME). A code injection flaw exists in how capacity and utilization imported control files are processed, allowing a remote, authenticated attacker to execute arbitrary code as the CFME user. Public details come from Red Hat RHSA-2016:28...

CVE-2017-2639

CloudForms Management Engine is affected by CVE-2017-2639, where it does not verify that the server hostname matches the domain name in the certificate when using a custom CA with connections to RHEV/OpenShift. This can allow an attacker to spoof RHEV/OpenShift systems and potentially harvest sen...

CVE-2017-7530

CVE-2017-7530 affects CloudForms Management Engine (cfme) prior to 5.7.3 and 5.8.x prior to 5.8.1, where privilege checks can be bypassed when API users trigger arbitrary methods via VMs filtered by MiqExpression. This could let an attacker perform disallowed actions (e.g., destroying VMs). The i...

CVE-2017-15123

CVE-2017-15123 affects Red Hat CloudForms web interface versions 5.8–5.10, where RSS feed URLs are not properly access-restricted to authenticated users, enabling disclosure of potentially sensitive data (e.g., newly created virtual machines). The entry is supported by NVD (CVSS v2 base 5.0, CVSS...

CVE-2016-7047

CVE-2016-7047 affects Red Hat CloudForms Management Engine (CloudForms API) before versions 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with MiqReportResults API permission could view data from other tenants or groups, causing information disclosure. Connected Red Hat advisories indicate broader CloudFo...

CVE-2017-2664

CloudForms Management Engine (cfme) is affected by CVE-2017-2664. The issue is a lack of RBAC controls on certain methods in the Rails application, enabling privilege escalation for an attacker with access. Affected versions are cfme before 5.7.3 and 5.8.x before 5.8.1. Red Hat advisories RHSA-20...

CVE-2013-6460

CVE-2013-6460 affects the Nokogiri gem (version 1.5.x) and is described in connected documents as a Denial of Service via an infinite loop when parsing XML documents. The available sources consistently state a DoS impact but do not provide concrete exploitation details or patch/version remediatio...

CVE-2020-10780

CVE-2020-10780 affects Red Hat CloudForms 4.7 and 5, where a CSV Injection flaw in Orchestration Templates can be triggered when a crafted CSV is exported and opened in Excel. The underlying issue is loosely validated parameters allowing CSV formulae to execute after the file is opened, enabling ...

CVE-2017-2653

CVE-2017-2653 affects Red Hat CloudForms Management Engine (CFME) and components cfme, cfme-appliance, and cfme-gemset on Red Hat Enterprise Linux 7. Unused delete routes could be reachable via GET requests, bypassing CSRF protection and enabling route usage, potentially in conjunction with addit...

CVE-2017-7528

CRLF Injection in Ansible Tower shipped with Red Hat CloudForms Management Engine 5 is triggered via the X-Forwarded-For header, allowing internal servers to deploy other systems through a callback mechanism. This mode is documented in CVE-2017-7528; the vulnerability affects the Ansible Tower co...

CVE-2020-14296

CVE-2020-14296 affects Red Hat CloudForms 4.7 and 5 with a Server-Side Request Forgery (SSRF) flaw exposed when adding an Ansible Tower provider. The issue allows an attacker to issue crafted requests from the vulnerable CloudForms server to scan or attack internal systems not normally accessible...

CVE-2013-4172

The CVE-2013-4172 entry affects Red Hat CloudForms Management Engine 5.1, where an input sanitization flaw allows remote administrators to execute arbitrary Ruby code with root privileges via unspecified vectors. The vulnerability is rooted in a defect in handling administrative input, enabling c...

CVE-2014-8164

CVE-2014-8164 describes an insecure certificate verification configuration (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) that may enable verification bypass in Red Hat CloudForms 5.x. The connected documents corroborate that the issue affects the CloudForms Management Engine and related componen...

CVE-2015-7502

Summary: CVE-2015-7502 affects Red Hat CloudForms Management Engine (CFME) 3.2/5.4.4 and CFME 4.0/5.5.0. The issue is improper encryption of data stored in the backend PostgreSQL database, enabling local attackers to access sensitive information by exploiting access to database exports or log fil...

CVE-2016-7040

CVE-2016-7040 affects Red Hat CloudForms Management Engine (CFME) 4.1. A input-validation flaw in how CFME handles regular expressions passed to the expression engine via the JSON API and the web UI allows remote authenticated users to execute arbitrary shell commands by viewing/filtering collect...

CVE-2016-7071

CVE-2016-7071 concerns Red Hat CloudForms/CFME where, prior to updates 5.6.2.2 and 5.7.0.7, permissions were not properly enforced for VM IDs supplied by users. A remote, authenticated attacker could exploit this to execute arbitrary VMs on managed systems if they knows the VM ID. The connected R...

CVE-2013-6461

Nokogiri gem versions 1.5.x and 1.6.x are affected by a DoS vulnerability when parsing XML entities due to failing to apply limits. The issue is described across multiple connected sources (SUSE, Ubuntu, Debian security trackers, RubyGems advisories, and NVD). The CVE entry itself lists DoS as th...

CVE-2013-2050

The CVE-2013-2050 issue is a SQL injection vulnerability in the miq_policy controller of Red Hat CloudForms Management Engine (CFME) 5.1 and older, and ManageIQ Enterprise Virtualization Manager 5.0 and older. The vulnerability leverages the explorer action via the profile[] parameter, allowing r...

CVE-2014-0087

Affected product: ManageIQ / Red Hat CloudForms Management Engine (CFME). Issue: The check_privileges method in vmdb/app/controllers/application_controller.rb allows remote authenticated users to bypass authorization by exploiting improper RBAC checking, specifically related to the rbac_user_edit...

CVE-2016-4457

CloudForms Management Engine (CFME) is affected by CVE-2016-4457 due to a default SSL/TLS certificate used by the web server. Red Hat RHSA-2017:1367 documents that if an attacker could man-in-the-middle during install, they could obtain the private key uploaded with the new certificate, enabling ...

CVE-2013-2068

CVE-2013-2068: In Red Hat CloudForms Management Engine 2.0, the AgentController exposes a directory traversal vulnerability via the filename parameter to log, upload, or linuxpkgs, allowing a remote attacker to create/overwrite arbitrary files. Root cause is improper sanitization of the parameter...

CVE-2013-2049

CFME/Red Hat CloudForms 2 Management Engine is affected by a vulnerability caused by a static secret_token.rb secret, enabling remote attackers to tamper sessions. Based on provided sources, the impact is session integrity (high for CVSS3) with network access and no authentication; CVSS2/3 base s...

CVE-2016-3702

CVE-2016-3702: Padding oracle flaw in Red Hat CloudForms Management Engine (CFME) 5 enables remote attackers to obtain sensitive cleartext information. Affected component and exact root cause are described as a padding oracle vulnerability; no specific exploit details or remediation are provided ...