CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2012-6115 – rhev: rhevm-manage-domains logs admin passwords
https://notcve.org/view.php?id=CVE-2012-6115
12 Mar 2013 — The domain management tool (rhevm-manage-domains) in Red Hat Enterprise Virtualization Manager (RHEV-M) 3.1 and earlier, when the validate action is enabled, logs the administrative password to a world-readable log file, which allows local users to obtain sensitive information by reading this file. La herramienta para la gestión de dominios (rhevm-manage-domains)Red Hat Enterprise Virtualization Manager (RHEV-M) v3.1 y anteriores, cuando la opción de validación está activada, registra la contraseña administ... • http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=commit%3Bh=e8c72daec4efa8be0fcd8ea55c41e855ddd8eedf • CWE-255: Credentials Management Errors •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2011-4316 – SPICE screen locking race condition
https://notcve.org/view.php?id=CVE-2011-4316
04 Jan 2013 — Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, in certain unspecified conditions, does not lock the desktop screen between SPICE sessions, which allows local users with access to a virtual machine to gain access to other users' desktop sessions via unspecified vectors. Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, en ciertas condificones no especificadas, no bloquea la pantalla del escritorio entre sesiones SPICE, lo que permite a usuarios locales con acceso a una máq... • http://rhn.redhat.com/errata/RHSA-2012-1506.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2012-5516 – rhev-m: MoveDisk ignores the disk's wipe-after-delete property
https://notcve.org/view.php?id=CVE-2012-5516
04 Jan 2013 — Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when moving disks between storage domains, does not properly wipe-after-delete, which prevents disks from being securely deleted and might allow local users to obtain sensitive information via unspecified vectors. Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, cuando se mueven discos entre dominios de almacenamiento, no efectúa de forma adecuada la eliminación segura (wipe) después de borrar, lo que evita que un disco no s... • http://rhn.redhat.com/errata/RHSA-2012-1506.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2012-0860 – rhev: vds_installer insecure /tmp use
https://notcve.org/view.php?id=CVE-2012-0860
04 Jan 2013 — Multiple untrusted search path vulnerabilities in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, allow local users to gain privileges via a Trojan horse (1) deployUtil.py or (2) vds_bootstrap.py Python module in /tmp/. Múltiples vulnerabilidades de path de búsqueda no confiable en Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, cuando se añade un host, permite a usuario locales obtener privilegios a través de un fichero (1) deployUtil.py o (2) el mód... • http://rhn.redhat.com/errata/RHSA-2012-1506.html • CWE-377: Insecure Temporary File •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2012-0861 – rhev: vds_installer is prone to MITM when downloading 2nd stage installer
https://notcve.org/view.php?id=CVE-2012-0861
04 Jan 2013 — The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack. El vds_installer en Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, cuando se añade un host, usa el parámetro "-k curl" cuando se descarga deployUtil.py y vds_b... • http://rhn.redhat.com/errata/RHSA-2012-1505.html • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2012-2696 – rhev: backend allows unprivileged queries
https://notcve.org/view.php?id=CVE-2012-2696
04 Jan 2013 — The backend in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1 does not properly check privileges, which allows remote authenticated users to query arbitrary information via a (1) SOAP or (2) GWT request. El "backend" en Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1 no comprueba los privilegios de forma adecuada, lo que permite a usuarios remotos autenticados a consultar información a través de una consulta (1) SOAP o (2) GWT. • http://rhn.redhat.com/errata/RHSA-2012-1506.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2010-2793 – spice activex/spicec named pipe races
https://notcve.org/view.php?id=CVE-2010-2793
08 Dec 2010 — Race condition in the SPICE (aka spice-activex) plug-in for Internet Explorer in Red Hat Enterprise Virtualization (RHEV) Manager before 2.2.4 allows local users to create a certain named pipe, and consequently gain privileges, via vectors involving knowledge of the name of this named pipe, in conjunction with use of the ImpersonateNamedPipeClient function. Condición de carrera en el plug-in SPICE (también conocido como spice-activex) para Internet Explorer en Red Hat Enterprise Virtualization (RHEV) Manage... • http://securitytracker.com/id?1024825 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2010-2224 – rhev-m: merge snapshot does not pass postzero parameter for deleted volumes
https://notcve.org/view.php?id=CVE-2010-2224
24 Jun 2010 — The snapshot merging functionality in Red Hat Enterprise Virtualization Manager (aka RHEV-M) before 2.2 does not properly pass the postzero parameter during operations on deleted volumes, which allows guest OS users to obtain sensitive information by examining the disk blocks associated with a deleted virtual machine. La funcionalidad snapshot merging en Red Hat Enterprise Virtualization Manager (conocido como RHEV-M) anterior v2.2 no pasa adecuadamente el parámetro prostzero durante las operaciones en el b... • http://www.securityfocus.com/bid/41045 • CWE-264: Permissions, Privileges, and Access Controls •