Page 2 of 12 results (0.010 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y 5.8.x anteriores a la 5.8.1 carece de controles RBAC en determinados métodos en la parte de la aplicación rails de CloudForms. Un atacante con acceso podría utilizar una variedad de métodos en la parte de la aplicación rails de CloudForms para escalar privilegios. CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. • http://www.securityfocus.com/bid/100148 https://access.redhat.com/errata/RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:3484 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2664 https://access.redhat.com/security/cve/CVE-2017-2664 https://bugzilla.redhat.com/show_bug.cgi?id=1435393 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. El diálogo para crear volúmenes de cloud (cinder provider) en CloudForms no filtra a los inquilinos de cloud por usuario. Un atacante con la capacidad de crear volúmenes de almacenamiento podría usar esto para crear volúmenes de almacenamiento para cualquier otro inquilino. • https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497 https://access.redhat.com/security/cve/CVE-2017-7497 https://bugzilla.redhat.com/show_bug.cgi?id=1450150 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podría ver datos de otros inquilinos o grupos a los que no debería tener acceso. A flaw was found in the CloudForms API. • http://www.securityfocus.com/bid/99329 https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2016-7047 https://bugzilla.redhat.com/show_bug.cgi?id=1374215 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. CloudForms Management Engine anterior a la versión 5.8 incluye un certificado SSL/TLS por defecto. CloudForms includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time. However if an attacker were able to man-in-the-middle an administrator while installing the new certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. • http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://access.redhat.com/errata/RHSA-2017:1601 https://bugzilla.redhat.com/show_bug.cgi?id=1341308 https://access.redhat.com/security/cve/CVE-2016-4457 • CWE-310: Cryptographic Issues CWE-798: Use of Hard-coded Credentials •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. Una serie de rutas de borrado no utilizadas están presentes en CloudForms en versiones anteriores a la 5.7.2.1, a las que se puede acceder a través de peticiones GET en lugar de sólo peticiones POST. Esto podría permitir a un atacante omitir la protección protect_from_forgery XSRF que provoca el uso de esas rutas. • http://www.securityfocus.com/bid/96964 https://access.redhat.com/errata/RHSA-2017:0898 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653 https://access.redhat.com/security/cve/CVE-2017-2653 https://bugzilla.redhat.com/show_bug.cgi?id=1432174 • CWE-20: Improper Input Validation •