Vulnerabilities (CVE)

Vendor filter

Redhat Subscribe

Product filter

Cloudforms Subscribe

Filter

35 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-10855 2 Redhat, Debian 5 Ansible Engine, Cloudforms, Openstack and 2 more 2019-07-25 5.0
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully,...
CVE-2019-5419 3 Rubyonrails, Debian, Redhat 3 Rails, Debian Linux, Cloudforms 2019-06-07 7.8
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
CVE-2018-1000544 3 Rubyzip Project, Debian, Redhat 3 Rubyzip, Debian Linux, Cloudforms 2019-03-13 7.5
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of...
CVE-2018-7750 3 Paramiko, Redhat, Debian 11 Paramiko, Ansible Engine, Cloudforms and 8 more 2019-02-28 7.5
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication...
CVE-2018-11627 2 Sinatrarb, Redhat 2 Sinatra, Cloudforms 2019-02-26 4.3
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
CVE-2012-5604 1 Redhat 1 Cloudforms 2018-05-12 4.3
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
CVE-2012-5605 1 Redhat 1 Cloudforms 2017-08-29 2.1
Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local users to modify grinder cache files.
CVE-2012-5603 1 Redhat 1 Cloudforms 2017-08-29 5.5
proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users' settings via unspecified vectors related to...
CVE-2012-4574 1 Redhat 1 Cloudforms 2017-08-29 2.1
Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.
CVE-2012-3538 1 Redhat 1 Cloudforms 2017-08-29 3.3
Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pulp administrative passwords by reading production.log.
CVE-2016-4471 1 Redhat 1 Cloudforms 2017-06-15 6.5
ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
CVE-2016-5383 1 Redhat 1 Cloudforms 2016-08-26 6.5
The web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of field filters."
CVE-2015-7502 1 Redhat 2 Cloudforms Management Engine, Cloudforms 2016-04-18 1.9
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain...
CVE-2014-0057 1 Redhat 2 Cloudforms 3.0 Management Engine, Cloudforms 2014-03-19 7.5
The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
CVE-2013-6443 1 Redhat 2 Cloudforms 3.0 Management Engine, Cloudforms 2014-01-23 6.8
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.