CVE-2014-3489 – CFME: Default salt value in miq-password.rb
https://notcve.org/view.php?id=CVE-2014-3489
lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 uses a hard-coded salt, which makes it easier for remote attackers to guess passwords via a brute force attack. lib/util/miq-password.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 utiliza un salt embebido, lo que facilita a atacantes remotos adivinar contraseñas a través de un ataque de fuerza bruta. • http://rhn.redhat.com/errata/RHSA-2014-0816.html http://www.securityfocus.com/bid/68299 https://access.redhat.com/security/cve/CVE-2014-3489 https://bugzilla.redhat.com/show_bug.cgi?id=1107853 • CWE-255: Credentials Management Errors CWE-321: Use of Hard-coded Cryptographic Key •
CVE-2014-0184 – CFME: root password is written to evm.log when entered during VM provisioning
https://notcve.org/view.php?id=CVE-2014-0184
Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 registra la contraseña root cuando implementa un VM, lo que permite a usuarios locales obtener información sensible mediante la lectura del fichero evm.log. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0184 https://bugzilla.redhat.com/show_bug.cgi?id=1089131 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVE-2014-0180 – CFME: app/controllers/application_controller.rb wait_for_task DoS
https://notcve.org/view.php?id=CVE-2014-0180
The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. La función wait_for_task en app/controllers/application_controller.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0180 https://bugzilla.redhat.com/show_bug.cgi?id=1087909 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVE-2014-0137 – CFME: ReportController SQL injection
https://notcve.org/view.php?id=CVE-2014-0137
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists. Vulnerabilidad de inyección SQL en la acción saved_report_delete en ReportController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados, relacionado con MiqReportResult.exists. • http://rhn.redhat.com/errata/RHSA-2014-0469.html https://access.redhat.com/security/cve/CVE-2014-0137 https://bugzilla.redhat.com/show_bug.cgi?id=1076688 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-0078 – CFME: multiple authorization bypass vulnerabilities in CatalogController
https://notcve.org/view.php?id=CVE-2014-0078
The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. CatalogController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados eliminar catálogos arbitrarios a través de vectores involucrando adivinar el identificador del catálogo. • http://rhn.redhat.com/errata/RHSA-2014-0469.html https://bugzilla.redhat.com/show_bug.cgi?id=1064556 https://access.redhat.com/security/cve/CVE-2014-0078 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •