VYPR

Cloudforms Management Engine

by Red Hat

CVEs (20)

  • CVE-2014-0087HigJan 11, 2018
    risk 0.57cvss 8.8epss 0.02

    The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the…

  • CVE-2016-7040HigOct 7, 2016
    risk 0.57cvss 8.8epss 0.02

    Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter…

  • CVE-2018-10905HigJul 24, 2018
    risk 0.51cvss 7.8epss 0.00

    CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user.

  • CVE-2013-2049HigMay 1, 2018
    risk 0.49cvss 7.5epss 0.01

    Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.

  • CVE-2016-4457HigJun 8, 2017
    risk 0.49cvss 7.5epss 0.01

    CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.

  • CVE-2014-7813MedOct 18, 2017
    risk 0.42cvss 6.5epss 0.01

    Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.

  • CVE-2016-3702MedApr 21, 2017
    risk 0.35cvss 5.3epss 0.01

    Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information.

  • CVE-2015-7502MedApr 11, 2016
    risk 0.33cvss 5.1epss 0.00

    Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access…

  • CVE-2013-2068Sep 28, 2013
    risk 0.08cvss epss 0.59

    Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.

  • CVE-2013-2050Jan 11, 2014
    risk 0.04cvss epss 0.16

    SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an…

  • CVE-2014-3536Dec 15, 2019
    risk 0.00cvss epss 0.00

    CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration

  • CVE-2014-3692Jan 16, 2015
    risk 0.00cvss epss 0.03

    The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges.

  • CVE-2014-0140Oct 6, 2014
    risk 0.00cvss epss 0.01

    Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.

  • CVE-2014-3489Jul 7, 2014
    risk 0.00cvss epss 0.02

    lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack.

  • CVE-2014-3486Jul 7, 2014
    risk 0.00cvss epss 0.00

    The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a…

  • CVE-2014-0184Jul 7, 2014
    risk 0.00cvss epss 0.00

    Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file.

  • CVE-2014-0137May 14, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.

  • CVE-2014-0078May 14, 2014
    risk 0.00cvss epss 0.01

    The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID.

  • CVE-2014-0057Mar 18, 2014
    risk 0.00cvss epss 0.02

    The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.

  • CVE-2013-4172Aug 23, 2013
    risk 0.00cvss epss 0.01

    The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.