CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-2667 – rubygem-hammer_cli: no verification of API server's SSL certificate
https://notcve.org/view.php?id=CVE-2017-2667
20 Feb 2018 — Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks. Hammer CLI, una utilidad CLI para Foreman, en versiones anteriores a la 0.10.0, no estableció explícitamente la marca verify_ssl para apipie-bindings que lo deshabilita por defecto. Como resultado, los certificados del servidor no se comprueban y las ... • http://projects.theforeman.org/issues/19033 • CWE-295: Improper Certificate Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2016-8639 – foreman: Stored XSS via organization/location with HTML in name
https://notcve.org/view.php?id=CVE-2016-8639
20 Feb 2018 — It was found that foreman before 1.13.0 is vulnerable to a stored XSS via an organization or location name. This could allow an attacker with privileges to set the organization or location name to display arbitrary HTML including scripting code within the web interface. Se ha detectado que Foreman en versiones anteriores a la 1.13.0 es vulnerable a Cross-Site Scripting (XSS) persistente mediante un nombre de organización o ubicación. Esto podría permitir que un atacante con privilegios para establecer el no... • http://www.securityfocus.com/bid/94263 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2016-9595 – katello-debug: Possible symlink attacks due to use of predictable file names
https://notcve.org/view.php?id=CVE-2016-9595
20 Feb 2018 — A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. Se ha encontrado un fallo en katello-debug en versiones anteriores a la 3.4.0, donde determinados scripts y archivos de log utilizaban archivos temporales no seguros. Un usuario local podría explotar esta vulnerabilidad para llevar a cabo un ataque de enlace simbóli... • https://access.redhat.com/errata/RHSA-2018:0336 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •