Page 7 of 48 results (0.006 seconds)

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion of CloudForms to escalate privileges. CloudForms Management Engine (cfme) en versiones anteriores a la 5.7.3 y 5.8.x anteriores a la 5.8.1 carece de controles RBAC en determinados métodos en la parte de la aplicación rails de CloudForms. Un atacante con acceso podría utilizar una variedad de métodos en la parte de la aplicación rails de CloudForms para escalar privilegios. CloudForms lacks RBAC controls on certain methods in the rails application portion of CloudForms. • http://www.securityfocus.com/bid/100148 https://access.redhat.com/errata/RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:3484 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2664 https://access.redhat.com/security/cve/CVE-2017-2664 https://bugzilla.redhat.com/show_bug.cgi?id=1435393 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability within the API could potentially view data from other tenants or groups to which they should not have access. Se ha detectado un error en la API CloudForms en versiones anteriores a las 5.6.3.0, 5.7.3.1 y 5.8.1.2. Un usuario con permisos para emplear la funcionalidad MiqReportResults en la API podría ver datos de otros inquilinos o grupos a los que no debería tener acceso. A flaw was found in the CloudForms API. • http://www.securityfocus.com/bid/99329 https://access.redhat.com/errata/RHSA-2017:1601 https://access.redhat.com/errata/RHSA-2017:1758 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7047 https://access.redhat.com/security/cve/CVE-2016-7047 https://bugzilla.redhat.com/show_bug.cgi?id=1374215 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. ManageIQ en CloudForms anterior a la versión 4.1, permite a los usuarios identificados remotos ejecutar código arbitrario. • https://bugzilla.redhat.com/show_bug.cgi?id=1340763 https://github.com/ManageIQ/manageiq/pull/7856 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms. Se ha detectado que CloudForms no verifica que el nombre de host del servidor coincida con el nombre de dominio en el certificado cuando se utiliza una CA personalizada y se comunica con Red Hat Virtualization (RHEV) y OpenShift. Esto permitiría a un atacante falsificar sistemas RHEV u OpenShift y potencialmente obtener información sensible de CloudForms. • http://www.securityfocus.com/bid/98769 http://www.securitytracker.com/id/1038599 https://access.redhat.com/errata/RHSA-2017:1367 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639 https://access.redhat.com/security/cve/CVE-2017-2639 https://bugzilla.redhat.com/show_bug.cgi?id=1429632 • CWE-295: Improper Certificate Validation •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute. Una serie de rutas de borrado no utilizadas están presentes en CloudForms en versiones anteriores a la 5.7.2.1, a las que se puede acceder a través de peticiones GET en lugar de sólo peticiones POST. Esto podría permitir a un atacante omitir la protección protect_from_forgery XSRF que provoca el uso de esas rutas. • http://www.securityfocus.com/bid/96964 https://access.redhat.com/errata/RHSA-2017:0898 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2653 https://access.redhat.com/security/cve/CVE-2017-2653 https://bugzilla.redhat.com/show_bug.cgi?id=1432174 • CWE-20: Improper Input Validation •