Vulnerabilities > Redhat > Cloudforms

DATE CVE VULNERABILITY TITLE RISK
2018-05-02 CVE-2018-1104 Code Injection vulnerability in Redhat Ansible Tower and Cloudforms
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
network
low complexity
redhat CWE-94
6.5
2018-05-02 CVE-2018-1101 Weak Password Requirements vulnerability in Redhat Ansible Tower and Cloudforms
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation.
network
low complexity
redhat CWE-521
6.5
2018-03-13 CVE-2018-7750 Improper Authentication vulnerability in multiple products
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open.
network
low complexity
paramiko redhat debian CWE-287
7.5
2018-03-02 CVE-2018-1058 A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users.
network
low complexity
postgresql canonical redhat
8.8
2018-02-28 CVE-2017-12191 Improper Access Control vulnerability in Redhat Cloudforms 4.5
A flaw was found in the CloudForms account configuration when using VMware.
network
low complexity
redhat CWE-284
7.4
2018-02-09 CVE-2018-1053 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files.
3.3
2017-08-23 CVE-2017-11610 Incorrect Default Permissions vulnerability in multiple products
The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
network
low complexity
supervisord fedoraproject debian redhat CWE-276
8.8
2017-06-08 CVE-2016-4471 Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms
ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
network
low complexity
redhat CWE-264
6.5
2016-08-26 CVE-2016-5383 Improper Access Control vulnerability in Redhat Cloudforms 4.1
The web UI in Red Hat CloudForms 4.1 allows remote authenticated users to execute arbitrary code via vectors involving "Lack of field filters."
network
low complexity
redhat CWE-284
6.5
2016-04-11 CVE-2015-7502 Information Exposure vulnerability in Redhat Cloudforms and Cloudforms Management Engine
Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the backend PostgreSQL database, which might allow local users to obtain sensitive data and consequently gain privileges by leveraging access to (1) database exports or (2) log files.
local
high complexity
redhat CWE-200
5.1