CVE-2014-0180 – CFME: app/controllers/application_controller.rb wait_for_task DoS
https://notcve.org/view.php?id=CVE-2014-0180
The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. La función wait_for_task en app/controllers/application_controller.rb en Red Hat CloudForms 3.0 Management Engine (CFME) anterior a 5.2.4.2 permite a atacantes remotos causar una denegación de servicio (bucle infinito y consumo de CPU) a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2014-0816.html https://access.redhat.com/security/cve/CVE-2014-0180 https://bugzilla.redhat.com/show_bug.cgi?id=1087909 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVE-2014-0137 – CFME: ReportController SQL injection
https://notcve.org/view.php?id=CVE-2014-0137
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists. Vulnerabilidad de inyección SQL en la acción saved_report_delete en ReportController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados, relacionado con MiqReportResult.exists. • http://rhn.redhat.com/errata/RHSA-2014-0469.html https://access.redhat.com/security/cve/CVE-2014-0137 https://bugzilla.redhat.com/show_bug.cgi?id=1076688 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-0078 – CFME: multiple authorization bypass vulnerabilities in CatalogController
https://notcve.org/view.php?id=CVE-2014-0078
The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. CatalogController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados eliminar catálogos arbitrarios a través de vectores involucrando adivinar el identificador del catálogo. • http://rhn.redhat.com/errata/RHSA-2014-0469.html https://bugzilla.redhat.com/show_bug.cgi?id=1064556 https://access.redhat.com/security/cve/CVE-2014-0078 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2013-6443 – CFME: GET request CSRF vulnerability
https://notcve.org/view.php?id=CVE-2013-6443
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. CloudForms 3.0 Management Engine anterior a la versión 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a través de una acción destructiva en una petición. • http://rhn.redhat.com/errata/RHSA-2014-0025.html http://www.securitytracker.com/id/1029606 https://access.redhat.com/security/cve/CVE-2013-6443 https://bugzilla.redhat.com/show_bug.cgi?id=1044178 • CWE-352: Cross-Site Request Forgery (CSRF) •