CVE-2013-0168 – rhev-m: insufficient MoveDisk target domain permission checks
https://notcve.org/view.php?id=CVE-2013-0168
The MoveDisk command in Red Hat Enterprise Virtualization Manager (RHEV-M) 3.1 and earlier does not properly check permissions on storage domains, which allows remote authenticated storage admins to cause a denial of service (free space consumption of other storage domains) via unspecified vectors. El comando MoveDisk en Red Hat Enterprise Virtualization Manager (RHEV-M) v3.1 y anteriores, no valida adecuadamente los permisos en los dominios de almacenamiento, lo que permite a administradores de almacenamiento autenticados remotamente provocar una denegación de servicio (agotamiento del espacio libre sobre otros dominios de almacenamiento) a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2013-0211.html http://www.securityfocus.com/bid/57750 http://www.securitytracker.com/id/1028076 https://bugzilla.redhat.com/show_bug.cgi?id=893355 https://exchange.xforce.ibmcloud.com/vulnerabilities/81834 https://access.redhat.com/security/cve/CVE-2013-0168 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-6115 – rhev: rhevm-manage-domains logs admin passwords
https://notcve.org/view.php?id=CVE-2012-6115
The domain management tool (rhevm-manage-domains) in Red Hat Enterprise Virtualization Manager (RHEV-M) 3.1 and earlier, when the validate action is enabled, logs the administrative password to a world-readable log file, which allows local users to obtain sensitive information by reading this file. La herramienta para la gestión de dominios (rhevm-manage-domains)Red Hat Enterprise Virtualization Manager (RHEV-M) v3.1 y anteriores, cuando la opción de validación está activada, registra la contraseña administrativa en un archivo de registro con permisos de lectura globales, lo que permite a usuarios locales obtener información sensible mediante su lectura. • http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=commit%3Bh=e8c72daec4efa8be0fcd8ea55c41e855ddd8eedf http://rhn.redhat.com/errata/RHSA-2013-0211.html http://www.securityfocus.com/bid/57749 http://www.securitytracker.com/id/1028076 https://bugzilla.redhat.com/show_bug.cgi?id=893355 https://exchange.xforce.ibmcloud.com/vulnerabilities/81833 https://access.redhat.com/security/cve/CVE-2012-6115 https://bugzilla.redhat.com/show_bug.cgi?id=905865 • CWE-255: Credentials Management Errors •
CVE-2011-4316 – SPICE screen locking race condition
https://notcve.org/view.php?id=CVE-2011-4316
Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, in certain unspecified conditions, does not lock the desktop screen between SPICE sessions, which allows local users with access to a virtual machine to gain access to other users' desktop sessions via unspecified vectors. Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, en ciertas condificones no especificadas, no bloquea la pantalla del escritorio entre sesiones SPICE, lo que permite a usuarios locales con acceso a una máquina virtual a obtener acceso a otra sesión de usuario a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2012-1506.html http://rhn.redhat.com/errata/RHSA-2012-1508.html http://www.securityfocus.com/bid/56825 http://www.securitytracker.com/id?1027838 https://bugzilla.redhat.com/show_bug.cgi?id=754876 https://access.redhat.com/security/cve/CVE-2011-4316 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2696 – rhev: backend allows unprivileged queries
https://notcve.org/view.php?id=CVE-2012-2696
The backend in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1 does not properly check privileges, which allows remote authenticated users to query arbitrary information via a (1) SOAP or (2) GWT request. El "backend" en Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1 no comprueba los privilegios de forma adecuada, lo que permite a usuarios remotos autenticados a consultar información a través de una consulta (1) SOAP o (2) GWT. • http://rhn.redhat.com/errata/RHSA-2012-1506.html http://www.securityfocus.com/bid/56825 http://www.securitytracker.com/id?1027838 https://exchange.xforce.ibmcloud.com/vulnerabilities/80545 https://access.redhat.com/security/cve/CVE-2012-2696 https://bugzilla.redhat.com/show_bug.cgi?id=831565 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-5516 – rhev-m: MoveDisk ignores the disk's wipe-after-delete property
https://notcve.org/view.php?id=CVE-2012-5516
Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when moving disks between storage domains, does not properly wipe-after-delete, which prevents disks from being securely deleted and might allow local users to obtain sensitive information via unspecified vectors. Red Hat Enterprise Virtualization Manager (RHEV-M) anteriores a v3.1, cuando se mueven discos entre dominios de almacenamiento, no efectúa de forma adecuada la eliminación segura (wipe) después de borrar, lo que evita que un disco no sea borrado de forma segura, y permite a usuarios locales obtener información sensible a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2012-1506.html http://www.securityfocus.com/bid/56825 http://www.securitytracker.com/id?1027838 https://exchange.xforce.ibmcloud.com/vulnerabilities/80546 https://access.redhat.com/security/cve/CVE-2012-5516 https://bugzilla.redhat.com/show_bug.cgi?id=875370 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •