Vulnerabilities > Redhat > Cloudforms Management Engine

DATE CVE VULNERABILITY TITLE RISK
2018-07-26 CVE-2017-2664 Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine
CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms.
network
low complexity
redhat
6.5
2018-07-26 CVE-2017-7530 Unspecified vulnerability in Redhat Cloudforms and Cloudforms Management Engine
In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users.
network
low complexity
redhat
8.8
2018-07-24 CVE-2018-10905 OS Command Injection vulnerability in Redhat Cloudforms and Cloudforms Management Engine
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms.
local
low complexity
redhat CWE-78
7.8
2018-05-01 CVE-2013-2049 Session Fixation vulnerability in Redhat Cloudforms Management Engine 2.0
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.
network
low complexity
redhat CWE-384
7.5
2018-01-11 CVE-2014-0087 Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms Management Engine
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the rbac_user_edit action.
network
low complexity
redhat CWE-264
8.8
2017-06-08 CVE-2016-4457 Cryptographic Issues vulnerability in Redhat Cloudforms Management Engine 5.7
CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.
network
low complexity
redhat CWE-310
7.5
2017-04-21 CVE-2016-3702 Information Exposure vulnerability in Redhat Cloudforms Management Engine 5.0
Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information.
network
low complexity
redhat CWE-200
5.3
2016-10-07 CVE-2016-7040 Improper Access Control vulnerability in Redhat Cloudforms Management Engine 4.1
Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.
network
low complexity
redhat CWE-284
8.8
2016-04-11 CVE-2015-7502 Information Exposure vulnerability in Redhat Cloudforms and Cloudforms Management Engine
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files.
local
high complexity
redhat CWE-200
5.1