Page 6 of 39 results (0.011 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability to create storage volumes could use this to create storage volumes for any other tenant. El diálogo para crear volúmenes de cloud (cinder provider) en CloudForms no filtra a los inquilinos de cloud por usuario. Un atacante con la capacidad de crear volúmenes de almacenamiento podría usar esto para crear volúmenes de almacenamiento para cualquier otro inquilino. • https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7497 https://access.redhat.com/security/cve/CVE-2017-7497 https://bugzilla.redhat.com/show_bug.cgi?id=1450150 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podría ver datos de otros inquilinos o grupos a los que no debería tener acceso. A flaw was found in the CloudForms API. • http://www.securityfocus.com/bid/99329 https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2016-7047 https://bugzilla.redhat.com/show_bug.cgi?id=1374215 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. Se ha detectado que CloudForms no verifica que el nombre de host del servidor coincida con el nombre de dominio en el certificado cuando se utiliza una CA personalizada y se comunica con Red Hat Virtualization (RHEV) y OpenShift. Esto permitiría a un atacante falsificar sistemas RHEV u OpenShift y potencialmente obtener información sensible de CloudForms. • http://www.securityfocus.com/bid/98769 http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639 https://access.redhat.com/security/cve/CVE-2017-2639 https://bugzilla.redhat.com/show_bug.cgi?id=1429632 • CWE-295: Improper Certificate Validation •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. CloudForms Management Engine anterior a la versión 5.8 incluye un certificado SSL/TLS por defecto. CloudForms includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time. However if an attacker were able to man-in-the-middle an administrator while installing the new certificate, the attacker could get a copy of the uploaded private key allowing for future attacks. • http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://access.redhat.com/errata/RHSA-2017:1601 https://bugzilla.redhat.com/show_bug.cgi?id=1341308 https://access.redhat.com/security/cve/CVE-2016-4457 • CWE-310: Cryptographic Issues CWE-798: Use of Hard-coded Credentials •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. Fallo de padding oracle en CloudForms Management Engine (vulnerabilidad también conocida como CFME) 5 permite a atacantes remotos obtener información sensible en texto. • https://bugzilla.redhat.com/show_bug.cgi?id=1330179 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •