CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7497 – CFME: Dialog for creating cloud volumes does not filter cloud tenants CVE-2017-7497
https://notcve.org/view.php?id=CVE-2017-7497
The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. El diálogo para crear volúmenes de cloud (cinder provider) en CloudForms no filtra a los inquilinos de cloud por usuario. Un atacante con la capacidad de crear volúmenes de almacenamiento podría usar esto para crear volúmenes de almacenamiento para cualquier otro inquilino. • https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497 https://access.redhat.com/security/cve/CVE-2017-7497 https://bugzilla.redhat.com/show_bug.cgi?id=1450150 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2016-7047 – cfme: API leaks any MiqReportResult
https://notcve.org/view.php?id=CVE-2016-7047
A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podría ver datos de otros inquilinos o grupos a los que no debería tener acceso. A flaw was found in the CloudForms API. • http://www.securityfocus.com/bid/99329 https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2016-7047 https://bugzilla.redhat.com/show_bug.cgi?id=1374215 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2639 – CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA
https://notcve.org/view.php?id=CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. Se ha detectado que CloudForms no verifica que el nombre de host del servidor coincida con el nombre de dominio en el certificado cuando se utiliza una CA personalizada y se comunica con Red Hat Virtualization (RHEV) y OpenShift. Esto permitiría a un atacante falsificar sistemas RHEV u OpenShift y potencialmente obtener información sensible de CloudForms. • http://www.securityfocus.com/bid/98769 http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639 https://access.redhat.com/security/cve/CVE-2017-2639 https://bugzilla.redhat.com/show_bug.cgi?id=1429632 • CWE-295: Improper Certificate Validation •