Latest redhat cloudforms Vulnerabilities

CVE-2020-25716
A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only...
Redhat Cloudforms<5.11.10.1
redhat/cfme<5.11.10.1
CVE-2020-14369
This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently aut...
Redhat Cloudforms<=5.11
redhat/cfme-gemset 5.11.8.1<1
CVE-2020-14325
Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Impersonation authorization flaw which allows malicious attacker to create existent and non-existent role-based access control user, with ...
redhat/cfme<5.11.7.0
Redhat Cloudforms<5.11.7.0
CVE-2020-10783
Red Hat CloudForms 4.7 and 5 is affected by a role-based privilege escalation flaw. An attacker with EVM-Operator group can perform actions restricted only to EVM-Super-administrator group, leads to, ...
Redhat Cloudforms=4.7
Redhat Cloudforms=5.0.0
redhat/cfme-gemset<5.11.7.1
CVE-2020-10779
Red Hat CloudForms 4.7 and 5 leads to insecure direct object references (IDOR) and functional level access control bypass due to missing privilege check. Therefore, if an attacker knows the right crit...
Redhat Cloudforms=4.7
Redhat Cloudforms=5.0.0
redhat/cfme-gemset<5.11.7.1
CVE-2020-10778
In Red Hat CloudForms 4.7 and 5, the read only widgets can be edited by inspecting the forms and dropping the disabled attribute from the fields since there is no server-side validation. This business...
Redhat Cloudforms=4.7
Redhat Cloudforms=5.0.0
redhat/cfme-gemset<5.11.7.1
CVE-2020-10777
A cross-site scripting flaw was found in Report Menu feature of Red Hat CloudForms 4.7 and 5. An attacker could use this flaw to execute a stored XSS attack on an application administrator using Cloud...
Redhat Cloudforms=4.7
Redhat Cloudforms=5.0.0
redhat/cfme-gemset<5.11.7.1
CVE-2014-0197
Redhat Cloudforms=3.0
Redhat Cloudforms Management Engine>=5.0<=5.9.3.1
CVE-2013-4423
CloudForms stores user passwords in recoverable format
Redhat Cloudforms=3.0
CVE-2013-0186
Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Redhat Cloudforms=3.0
Redhat Manageiq Enterprise Virtualization Manager
CVE-2019-16892
A vulnerability was found in Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to...
<1.3.0
=29
=30
=31
=4.7
=5.11
and 3 more
CVE-2019-10159
cfme-gemset versions 5.10.4.3 and below, 5.9.9.3 and below are vulnerable to a data leak, due to an improper authorization in the migration log controller. An attacker with access to an unprivileged u...
Redhat Cfme-gemset>=5.9.0.22<=5.9.9.3
Redhat Cfme-gemset>=5.10.0.33<=5.10.4.3
Redhat Cloudforms=4.7
CVE-2019-11358
A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted J...
redhat/ansible-tower<0:3.5.2-1.el7a
redhat/cfme<0:5.10.9.1-1.el7cf
redhat/cfme-amazon-smartstate<0:5.10.9.1-1.el7cf
redhat/cfme-appliance<0:5.10.9.1-1.el7cf
redhat/cfme-gemset<0:5.10.9.1-1.el7cf
redhat/ovirt-ansible-hosted-engine-setup<0:1.0.23-1.el7e
and 267 more
CVE-2019-5418
# File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `rend...
rubygems/actionview>=4.0.0<=4.2.11.0
rubygems/actionview>=5.2.0<=5.2.2.0
rubygems/actionview>=5.0.0<=5.0.7.1
rubygems/actionview>=5.1.0<=5.1.6.1
Rubyonrails Rails>=3.0.0<4.2.11.1
Rubyonrails Rails>=5.0.0<5.0.7.2
and 8 more
CVE-2019-5419
# Denial of Service Vulnerability in Action View Impact ------ Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to pr...
rubygems/actionview>=6.0.0.beta1<6.0.0.beta3
rubygems/actionview>=5.2.0<=5.2.2.0
rubygems/actionview>=4.0.0<=4.2.11.0
rubygems/actionview>=5.0.0<=5.0.7.1
rubygems/actionview>=5.1.0<=5.1.6.1
Rubyonrails Rails<4.2.11.1
and 23 more
CVE-2018-16476
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to informa...
Rubyonrails Rails>=4.2.0<4.2.11
Rubyonrails Rails>=5.0.0<5.0.7.1
Rubyonrails Rails>=5.1.0<5.1.6.1
Rubyonrails Rails>=5.2.0<5.2.1.1
Redhat Cloudforms=4.6
redhat/activejob<4.2.11
and 3 more
CVE-2016-5402
A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use...
Redhat Cloudforms=4.1
Redhat Cloudforms Management Engine=5.6
CVE-2016-7071
It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbi...
Redhat Cloudforms Management Engine<5.6.2.2
Redhat Cloudforms Management Engine>=5.7.0.0<5.7.0.7
Redhat Cloudforms=4.1
CVE-2017-2632
A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a higher privilege level than the tenant administrator should have. ...
Redhat Cloudforms Management Engine<5.7.1.3
Redhat Cloudforms=4.2
CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShi...
Redhat Cloudforms=4.5
Redhat Cloudforms Management Engine=5.8
CVE-2018-10905
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to ex...
redhat/cfme<5.8.5.0
redhat/cfme<5.9.4.2
Redhat Cloudforms=4.5
Redhat Cloudforms=4.6
Redhat Cloudforms Management Engine=5.8
Redhat Cloudforms Management Engine=5.9
CVE-2018-3760
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users runni...
rubygems/sprockets>=4.0.0.beta1<=4.0.0.beta7
rubygems/sprockets>=3.0.0<3.7.2
rubygems/sprockets<2.12.5
redhat/rubygem-sprockets<4.0.0
redhat/rubygem-sprockets<3.7.2
redhat/rubygem-sprockets<2.12.5
and 20 more
CVE-2018-1000544
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be e...
redhat/rubyzip<1.2.2
Rubyzip Project Rubyzip<=1.2.1
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Redhat Cloudforms=4.6
rubygems/rubyzip<=1.2.1
CVE-2018-10855
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged,...
pip/ansible>=2.4.0<2.4.5
pip/ansible>=2.5.0<2.5.5
Redhat Ansible Engine>=2.4<2.4.5
Redhat Ansible Engine>2.5<=2.5.5
Redhat Ansible Engine=2.0
Redhat Cloudforms=4.6
and 13 more
CVE-2018-11627
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
rubygems/sinatra>=2.0.0<2.0.2
Sinatrarb Sinatra<2.0.2
Redhat Cloudforms=4.6
Redhat Cloudforms=4.7

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203