Cloudforms Management Engine
by Red Hat
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-0087 | Hig | 0.57 | 8.8 | 0.02 | Jan 11, 2018 | The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the… | ||
| CVE-2016-7040 | Hig | 0.57 | 8.8 | 0.02 | Oct 7, 2016 | Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter… | ||
| CVE-2018-10905 | Hig | 0.51 | 7.8 | 0.00 | Jul 24, 2018 | CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. | ||
| CVE-2013-2049 | Hig | 0.49 | 7.5 | 0.01 | May 1, 2018 | Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret. | ||
| CVE-2016-4457 | Hig | 0.49 | 7.5 | 0.01 | Jun 8, 2017 | CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | ||
| CVE-2014-7813 | Med | 0.42 | 6.5 | 0.01 | Oct 18, 2017 | Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols. | ||
| CVE-2016-3702 | Med | 0.35 | 5.3 | 0.01 | Apr 21, 2017 | Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. | ||
| CVE-2015-7502 | Med | 0.33 | 5.1 | 0.00 | Apr 11, 2016 | Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access… | ||
| CVE-2013-2068 | 0.08 | — | 0.59 | Sep 28, 2013 | Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method. | |||
| CVE-2013-2050 | 0.04 | — | 0.16 | Jan 11, 2014 | SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an… | |||
| CVE-2014-3536 | 0.00 | — | 0.00 | Dec 15, 2019 | CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration | |||
| CVE-2014-3692 | 0.00 | — | 0.03 | Jan 16, 2015 | The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. | |||
| CVE-2014-0140 | 0.00 | — | 0.01 | Oct 6, 2014 | Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. | |||
| CVE-2014-3489 | 0.00 | — | 0.02 | Jul 7, 2014 | lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. | |||
| CVE-2014-3486 | 0.00 | — | 0.00 | Jul 7, 2014 | The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a… | |||
| CVE-2014-0184 | 0.00 | — | 0.00 | Jul 7, 2014 | Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. | |||
| CVE-2014-0137 | 0.00 | — | 0.01 | May 14, 2014 | SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists. | |||
| CVE-2014-0078 | 0.00 | — | 0.01 | May 14, 2014 | The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. | |||
| CVE-2014-0057 | 0.00 | — | 0.02 | Mar 18, 2014 | The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors. | |||
| CVE-2013-4172 | 0.00 | — | 0.01 | Aug 23, 2013 | The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors. |
- risk 0.57cvss 8.8epss 0.02
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the…
- risk 0.57cvss 8.8epss 0.02
Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter…
- risk 0.51cvss 7.8epss 0.00
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user.
- risk 0.49cvss 7.5epss 0.01
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.
- risk 0.49cvss 7.5epss 0.01
CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.
- risk 0.42cvss 6.5epss 0.01
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.
- risk 0.35cvss 5.3epss 0.01
Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information.
- risk 0.33cvss 5.1epss 0.00
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access…
- CVE-2013-2068Sep 28, 2013risk 0.08cvss —epss 0.59
Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.
- CVE-2013-2050Jan 11, 2014risk 0.04cvss —epss 0.16
SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an…
- CVE-2014-3536Dec 15, 2019risk 0.00cvss —epss 0.00
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
- CVE-2014-3692Jan 16, 2015risk 0.00cvss —epss 0.03
The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges.
- CVE-2014-0140Oct 6, 2014risk 0.00cvss —epss 0.01
Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.
- CVE-2014-3489Jul 7, 2014risk 0.00cvss —epss 0.02
lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack.
- CVE-2014-3486Jul 7, 2014risk 0.00cvss —epss 0.00
The (1) shell_exec function in lib/util/MiqSshUtilV1.rb and (2) temp_cmd_file function in lib/util/MiqSshUtilV2.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allow local users to execute arbitrary commands via a symlink attack on a temporary file with a…
- CVE-2014-0184Jul 7, 2014risk 0.00cvss —epss 0.00
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file.
- CVE-2014-0137May 14, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
- CVE-2014-0078May 14, 2014risk 0.00cvss —epss 0.01
The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID.
- CVE-2014-0057Mar 18, 2014risk 0.00cvss —epss 0.02
The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
- CVE-2013-4172Aug 23, 2013risk 0.00cvss —epss 0.01
The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.