Redhat

Cloudforms

48 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2017-2653

  • EPSS 0.4%
  • Veröffentlicht 27.07.2018 18:29:01
  • Zuletzt bearbeitet 21.11.2024 03:23:55

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be u...

9

CVE-2017-12148

  • EPSS 0.45%
  • Veröffentlicht 27.07.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 03:08:55

A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook sour...

7.5

CVE-2017-2639

  • EPSS 0.52%
  • Veröffentlicht 27.07.2018 13:29:00
  • Zuletzt bearbeitet 21.11.2024 03:23:53

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or ...

6.5

CVE-2017-2664

  • EPSS 0.22%
  • Veröffentlicht 26.07.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:23:55

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion...

8.8

CVE-2017-7530

  • EPSS 0.34%
  • Veröffentlicht 26.07.2018 13:29:00
  • Zuletzt bearbeitet 21.11.2024 03:32:05

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacke...

7.8

CVE-2018-10905

  • EPSS 0.29%
  • Veröffentlicht 24.07.2018 13:29:00
  • Zuletzt bearbeitet 21.11.2024 03:42:16

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user.

5.9

CVE-2018-10855

  • EPSS 2.52%
  • Veröffentlicht 03.07.2018 01:29:00
  • Zuletzt bearbeitet 21.11.2024 03:42:08

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible ...

7.5

CVE-2018-3760

  • EPSS 93.24%
  • Veröffentlicht 26.06.2018 19:29:00
  • Zuletzt bearbeitet 21.11.2024 04:06:01

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application'...

9.8

CVE-2018-1000544

Exploit
  • EPSS 0.34%
  • Veröffentlicht 26.06.2018 16:29:02
  • Zuletzt bearbeitet 21.11.2024 03:40:09

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip ...

6.1

CVE-2018-11627

Exploit
  • EPSS 0.4%
  • Veröffentlicht 31.05.2018 19:29:00
  • Zuletzt bearbeitet 21.11.2024 03:43:43

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.