Page 3 of 15 results (0.012 seconds)

CVSS: 9.0EPSS: 97%CPEs: 18EXPL: 3

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups. El servidor XML-RPC en supervisor en versiones anteriores a la 3.0.1, 3.1.x en versiones anteriores a la 3.1.4, 3.2.x en versiones anteriores a la 3.2.4, y 3.3.x en versiones anteriores a la 3.3.3 permite que atacantes remotos autenticados ejecuten comandos arbitrarios mediante una petición XML-RPC, relacionada con búsquedas de espacio de nombres supervisor anidados. A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. • https://www.exploit-db.com/exploits/42779 https://github.com/yaunsky/CVE-2017-11610 https://github.com/ivanitlearning/CVE-2017-11610 http://www.debian.org/security/2017/dsa-3942 https://access.redhat.com/errata/RHSA-2017:3005 https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt https://github.com/Supervisor/supervisor/blob/3.3. • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-276: Incorrect Default Permissions •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs). En CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y versiones 5.8.x anteriores a la 5.8.1, se ha detectado que falta la comprobación de privilegios cuando se invocan métodos arbitrarios filtrando las máquinas virtuales que MiqExpression va a ejecutar. Esta condición puede ser desencadenada por los usuarios de la API. Un atacante podría utilizarlo para ejecutar acciones para las que no debería estar autorizado (por ejemplo, destruir máquinas virtuales). • http://www.securityfocus.com/bid/100151 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7530 https://access.redhat.com/security/cve/CVE-2017-7530 https://bugzilla.redhat.com/show_bug.cgi?id=1465448 • CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y 5.8.x anteriores a la 5.8.1 carece de controles RBAC en determinados métodos en la parte de la aplicación rails de CloudForms. Un atacante con acceso podría utilizar una variedad de métodos en la parte de la aplicación rails de CloudForms para escalar privilegios. CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. • http://www.securityfocus.com/bid/100148 https://access.redhat.com/errata/RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:3484 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2664 https://access.redhat.com/security/cve/CVE-2017-2664 https://bugzilla.redhat.com/show_bug.cgi?id=1435393 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podría ver datos de otros inquilinos o grupos a los que no debería tener acceso. A flaw was found in the CloudForms API. • http://www.securityfocus.com/bid/99329 https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2016-7047 https://bugzilla.redhat.com/show_bug.cgi?id=1374215 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. Se ha detectado que CloudForms no verifica que el nombre de host del servidor coincida con el nombre de dominio en el certificado cuando se utiliza una CA personalizada y se comunica con Red Hat Virtualization (RHEV) y OpenShift. Esto permitiría a un atacante falsificar sistemas RHEV u OpenShift y potencialmente obtener información sensible de CloudForms. • http://www.securityfocus.com/bid/98769 http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639 https://access.redhat.com/security/cve/CVE-2017-2639 https://bugzilla.redhat.com/show_bug.cgi?id=1429632 • CWE-295: Improper Certificate Validation •