Vendor CVEs
Red Hat
All CVEs
3,695 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-8333 | 0.00 | — | 0.02 | Oct 31, 2014 | The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state. | |||
| CVE-2014-3708 | 0.00 | — | 0.03 | Oct 31, 2014 | OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request. | |||
| CVE-2014-0136 | 0.00 | — | 0.02 | Oct 27, 2014 | The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. | |||
| CVE-2014-5075 | 0.00 | — | 0.01 | Oct 25, 2014 | The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows… | |||
| CVE-2014-7968 | 0.00 | — | 0.02 | Oct 22, 2014 | VDSM allows remote attackers to cause a denial of service (connection blocking) by keeping an SSL connection open. | |||
| CVE-2014-3677 | 0.00 | — | 0.03 | Oct 22, 2014 | Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption. | |||
| CVE-2014-3676 | 0.00 | — | 0.05 | Oct 22, 2014 | Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option." | |||
| CVE-2014-3675 | 0.00 | — | 0.03 | Oct 22, 2014 | Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet. | |||
| CVE-2014-3573 | 0.00 | — | 0.02 | Oct 18, 2014 | The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related… | |||
| CVE-2014-3680 | 0.00 | — | 0.01 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. | |||
| CVE-2014-3667 | 0.00 | — | 0.01 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. | |||
| CVE-2014-3666 | 0.00 | — | 0.04 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel. | |||
| CVE-2014-3663 | 0.00 | — | 0.01 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors. | |||
| CVE-2014-3662 | 0.00 | — | 0.02 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts. | |||
| CVE-2014-3661 | 0.00 | — | 0.02 | Oct 16, 2014 | Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake. | |||
| CVE-2014-3681 | 0.00 | — | 0.02 | Oct 15, 2014 | Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2014-3664 | 0.00 | — | 0.02 | Oct 15, 2014 | Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors. | |||
| CVE-2014-3593 | 0.00 | — | 0.01 | Oct 15, 2014 | Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. | |||
| CVE-2014-7283 | 0.00 | — | 0.01 | Oct 13, 2014 | The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on… | |||
| CVE-2014-7231 | 0.00 | — | 0.01 | Oct 8, 2014 | The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. | |||
| CVE-2014-7230 | 0.00 | — | 0.00 | Oct 8, 2014 | The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. | |||
| CVE-2014-3200 | 0.00 | — | 0.01 | Oct 8, 2014 | Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125.101 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |||
| CVE-2014-3199 | 0.00 | — | 0.01 | Oct 8, 2014 | The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 38.0.2125.101, has an erroneous fallback outcome for wrapper-selection failures, which allows remote attackers to cause a denial of service via vectors… | |||
| CVE-2014-3198 | 0.00 | — | 0.01 | Oct 8, 2014 | The Instance::HandleInputEvent function in pdf/instance.cc in the PDFium component in Google Chrome before 38.0.2125.101 interprets a certain -1 value as an index instead of a no-visible-page error code, which allows remote attackers to cause a denial of service (out-of-bounds… | |||
| CVE-2014-3197 | 0.00 | — | 0.01 | Oct 8, 2014 | The NavigationScheduler::schedulePageBlock function in core/loader/NavigationScheduler.cpp in Blink, as used in Google Chrome before 38.0.2125.101, does not properly provide substitute data for pages blocked by the XSS auditor, which allows remote attackers to obtain sensitive… | |||
| CVE-2014-3195 | 0.00 | — | 0.01 | Oct 8, 2014 | Google V8, as used in Google Chrome before 38.0.2125.101, does not properly track JavaScript heap-memory allocations as allocations of uninitialized memory and does not properly concatenate arrays of double-precision floating-point numbers, which allows remote attackers to… | |||
| CVE-2014-3194 | 0.00 | — | 0.01 | Oct 8, 2014 | Use-after-free vulnerability in the Web Workers implementation in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | |||
| CVE-2014-3193 | 0.00 | — | 0.02 | Oct 8, 2014 | The SessionService::GetLastSession function in browser/sessions/session_service.cc in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors that leverage "type confusion" for… | |||
| CVE-2014-3192 | 0.00 | — | 0.02 | Oct 8, 2014 | Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have… | |||
| CVE-2014-3191 | 0.00 | — | 0.01 | Oct 8, 2014 | Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with… | |||
| CVE-2014-3190 | 0.00 | — | 0.01 | Oct 8, 2014 | Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted… | |||
| CVE-2014-3189 | 0.00 | — | 0.01 | Oct 8, 2014 | The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium component in Google Chrome before 38.0.2125.101 does not properly validate image-data dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified… | |||
| CVE-2014-3188 | 0.00 | — | 0.06 | Oct 8, 2014 | Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and Google V8, which allows remote attackers to execute arbitrary code via vectors involving JSON data, related to improper parsing of an escaped index by… | |||
| CVE-2014-3632 | 0.00 | — | 0.03 | Oct 7, 2014 | The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE:… | |||
| CVE-2014-3642 | 0.00 | — | 0.01 | Oct 6, 2014 | vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method." | |||
| CVE-2014-3521 | 0.00 | — | 0.01 | Oct 6, 2014 | The component in (1) /luci/homebase and (2) /luci/cluster menu in Red Hat Conga 0.12.2 allows remote authenticated users to bypass intended access restrictions via a crafted URL. | |||
| CVE-2014-0140 | 0.00 | — | 0.01 | Oct 6, 2014 | Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request. | |||
| CVE-2013-6496 | 0.00 | — | 0.02 | Oct 6, 2014 | Red Hat Conga 0.12.2 allows remote attackers to obtain sensitive information via a crafted request to the (1) homebase, (2) cluster, (3) storage, (4) portal_skins/custom, or (5) logs Luci extension. | |||
| CVE-2014-3621 | 0.00 | — | 0.02 | Oct 2, 2014 | The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. | |||
| CVE-2014-6055 | 0.00 | — | 0.08 | Sep 30, 2014 | Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3)… | |||
| CVE-2014-6051 | 0.00 | — | 0.08 | Sep 30, 2014 | Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer… | |||
| CVE-2014-3558 | 0.00 | — | 0.03 | Sep 30, 2014 | ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted… | |||
| CVE-2014-0170 | 0.00 | — | 0.02 | Sep 30, 2014 | Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XML External Entity (XXE) issue. | |||
| CVE-2014-7145 | 0.00 | — | 0.04 | Sep 28, 2014 | The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS… | |||
| CVE-2014-3595 | 0.00 | — | 0.02 | Sep 22, 2014 | Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging. | |||
| CVE-2014-0152 | 0.00 | — | 0.02 | Sep 8, 2014 | Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors. | |||
| CVE-2014-3562 | 0.00 | — | 0.02 | Aug 21, 2014 | Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory. | |||
| CVE-2014-4615 | 0.00 | — | 0.03 | Aug 19, 2014 | The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the… | |||
| CVE-2014-3490 | 0.00 | — | 0.05 | Aug 19, 2014 | RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read… | |||
| CVE-2014-3472 | 0.00 | — | 0.02 | Aug 19, 2014 | The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via… |
- CVE-2014-8333Oct 31, 2014risk 0.00cvss —epss 0.02
The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state.
- CVE-2014-3708Oct 31, 2014risk 0.00cvss —epss 0.03
OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request.
- CVE-2014-0136Oct 27, 2014risk 0.00cvss —epss 0.02
The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors.
- CVE-2014-5075Oct 25, 2014risk 0.00cvss —epss 0.01
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows…
- CVE-2014-7968Oct 22, 2014risk 0.00cvss —epss 0.02
VDSM allows remote attackers to cause a denial of service (connection blocking) by keeping an SSL connection open.
- CVE-2014-3677Oct 22, 2014risk 0.00cvss —epss 0.03
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.
- CVE-2014-3676Oct 22, 2014risk 0.00cvss —epss 0.05
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."
- CVE-2014-3675Oct 22, 2014risk 0.00cvss —epss 0.03
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.
- CVE-2014-3573Oct 18, 2014risk 0.00cvss —epss 0.02
The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted XML/RSDL document, related…
- CVE-2014-3680Oct 16, 2014risk 0.00cvss —epss 0.01
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.
- CVE-2014-3667Oct 16, 2014risk 0.00cvss —epss 0.01
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.
- CVE-2014-3666Oct 16, 2014risk 0.00cvss —epss 0.04
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.
- CVE-2014-3663Oct 16, 2014risk 0.00cvss —epss 0.01
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.
- CVE-2014-3662Oct 16, 2014risk 0.00cvss —epss 0.02
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.
- CVE-2014-3661Oct 16, 2014risk 0.00cvss —epss 0.02
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.
- CVE-2014-3681Oct 15, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2014-3664Oct 15, 2014risk 0.00cvss —epss 0.02
Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.
- CVE-2014-3593Oct 15, 2014risk 0.00cvss —epss 0.01
Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration.
- CVE-2014-7283Oct 13, 2014risk 0.00cvss —epss 0.01
The xfs_da3_fixhashpath function in fs/xfs/xfs_da_btree.c in the xfs implementation in the Linux kernel before 3.14.2 does not properly compare btree hash values, which allows local users to cause a denial of service (filesystem corruption, and OOPS or panic) via operations on…
- CVE-2014-7231Oct 8, 2014risk 0.00cvss —epss 0.01
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
- CVE-2014-7230Oct 8, 2014risk 0.00cvss —epss 0.00
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
- CVE-2014-3200Oct 8, 2014risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in Google Chrome before 38.0.2125.101 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
- CVE-2014-3199Oct 8, 2014risk 0.00cvss —epss 0.01
The wrap function in bindings/core/v8/custom/V8EventCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 38.0.2125.101, has an erroneous fallback outcome for wrapper-selection failures, which allows remote attackers to cause a denial of service via vectors…
- CVE-2014-3198Oct 8, 2014risk 0.00cvss —epss 0.01
The Instance::HandleInputEvent function in pdf/instance.cc in the PDFium component in Google Chrome before 38.0.2125.101 interprets a certain -1 value as an index instead of a no-visible-page error code, which allows remote attackers to cause a denial of service (out-of-bounds…
- CVE-2014-3197Oct 8, 2014risk 0.00cvss —epss 0.01
The NavigationScheduler::schedulePageBlock function in core/loader/NavigationScheduler.cpp in Blink, as used in Google Chrome before 38.0.2125.101, does not properly provide substitute data for pages blocked by the XSS auditor, which allows remote attackers to obtain sensitive…
- CVE-2014-3195Oct 8, 2014risk 0.00cvss —epss 0.01
Google V8, as used in Google Chrome before 38.0.2125.101, does not properly track JavaScript heap-memory allocations as allocations of uninitialized memory and does not properly concatenate arrays of double-precision floating-point numbers, which allows remote attackers to…
- CVE-2014-3194Oct 8, 2014risk 0.00cvss —epss 0.01
Use-after-free vulnerability in the Web Workers implementation in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
- CVE-2014-3193Oct 8, 2014risk 0.00cvss —epss 0.02
The SessionService::GetLastSession function in browser/sessions/session_service.cc in Google Chrome before 38.0.2125.101 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors that leverage "type confusion" for…
- CVE-2014-3192Oct 8, 2014risk 0.00cvss —epss 0.02
Use-after-free vulnerability in the ProcessingInstruction::setXSLStyleSheet function in core/dom/ProcessingInstruction.cpp in the DOM implementation in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have…
- CVE-2014-3191Oct 8, 2014risk 0.00cvss —epss 0.01
Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with…
- CVE-2014-3190Oct 8, 2014risk 0.00cvss —epss 0.01
Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted…
- CVE-2014-3189Oct 8, 2014risk 0.00cvss —epss 0.01
The chrome_pdf::CopyImage function in pdf/draw_utils.cc in the PDFium component in Google Chrome before 38.0.2125.101 does not properly validate image-data dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified…
- CVE-2014-3188Oct 8, 2014risk 0.00cvss —epss 0.06
Google Chrome before 38.0.2125.101 and Chrome OS before 38.0.2125.101 do not properly handle the interaction of IPC and Google V8, which allows remote attackers to execute arbitrary code via vectors involving JSON data, related to improper parsing of an escaped index by…
- CVE-2014-3632Oct 7, 2014risk 0.00cvss —epss 0.03
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE:…
- CVE-2014-3642Oct 6, 2014risk 0.00cvss —epss 0.01
vmdb/app/controllers/application_controller/performance.rb in Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to gain privileges via unspecified vectors, related to an "insecure send method."
- CVE-2014-3521Oct 6, 2014risk 0.00cvss —epss 0.01
The component in (1) /luci/homebase and (2) /luci/cluster menu in Red Hat Conga 0.12.2 allows remote authenticated users to bypass intended access restrictions via a crafted URL.
- CVE-2014-0140Oct 6, 2014risk 0.00cvss —epss 0.01
Red Hat CloudForms 3.1 Management Engine (CFME) before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request.
- CVE-2013-6496Oct 6, 2014risk 0.00cvss —epss 0.02
Red Hat Conga 0.12.2 allows remote attackers to obtain sensitive information via a crafted request to the (1) homebase, (2) cluster, (3) storage, (4) portal_skins/custom, or (5) logs Luci extension.
- CVE-2014-3621Oct 2, 2014risk 0.00cvss —epss 0.02
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.
- CVE-2014-6055Sep 30, 2014risk 0.00cvss —epss 0.08
Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3)…
- CVE-2014-6051Sep 30, 2014risk 0.00cvss —epss 0.08
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer…
- CVE-2014-3558Sep 30, 2014risk 0.00cvss —epss 0.03
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted…
- CVE-2014-0170Sep 30, 2014risk 0.00cvss —epss 0.02
Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XML External Entity (XXE) issue.
- CVE-2014-7145Sep 28, 2014risk 0.00cvss —epss 0.04
The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS…
- CVE-2014-3595Sep 22, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.
- CVE-2014-0152Sep 8, 2014risk 0.00cvss —epss 0.02
Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
- CVE-2014-3562Aug 21, 2014risk 0.00cvss —epss 0.02
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.
- CVE-2014-4615Aug 19, 2014risk 0.00cvss —epss 0.03
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the…
- CVE-2014-3490Aug 19, 2014risk 0.00cvss —epss 0.05
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read…
- CVE-2014-3472Aug 19, 2014risk 0.00cvss —epss 0.02
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via…
Page 54 of 74