Redhat Cloudforms Management Engine — known CVE vulnerabilities
Every CVE whose affected-product data names Redhat Cloudforms Management Engine, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (42)
CVE-2013-2068 — CVSS 9.4 (critical): Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to…
CVE-2014-8164 — CVSS 9.1 (critical): A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red…
CVE-2020-14324 — CVSS 9.1 (critical): A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection…
CVE-2016-7071 — CVSS 8.8 (high): It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users. A…
CVE-2017-7530 — CVSS 8.8 (high): In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invoking…
CVE-2014-0087 — CVSS 8.8 (high): The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine…
CVE-2016-5402 — CVSS 8.8 (high): A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker…
CVE-2016-7040 — CVSS 8.8 (high): Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and…
CVE-2013-4172 — CVSS 8.5 (high): The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.
CVE-2019-14894 — CVSS 8.0 (high): A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote code…
CVE-2018-10905 — CVSS 7.8 (high): CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with…
CVE-2013-2049 — CVSS 7.5 (high): Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static…
CVE-2013-2050 — CVSS 7.5 (high): SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise…
CVE-2020-14296 — CVSS 7.1 (high): Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an…
CVE-2017-2639 — CVSS 6.5 (medium): It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and…
CVE-2017-15125 — CVSS 6.5 (medium): A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for…
CVE-2017-2664 — CVSS 6.5 (medium): CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application…
CVE-2019-10177 — CVSS 6.5 (medium): A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user…
CVE-2019-14864 — CVSS 6.5 (medium): Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it…
CVE-2020-10780 — CVSS 6.3 (medium): Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and opens the…
CVE-2019-14905 — CVSS 5.6 (medium): A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in…
CVE-2014-3536 — CVSS 5.5 (medium): CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2018-10854 — CVSS 5.4 (medium): cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v…
CVE-2017-15123 — CVSS 5.3 (medium): A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to authenticated…
CVE-2017-7528 — CVSS 5.2 (medium): Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For…
CVE-2015-7502 — CVSS 5.1 (medium): Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt data in the…
CVE-2020-1733 — CVSS 5.0 (medium): A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an…
CVE-2017-2632 — CVSS 4.9 (medium): A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups with a…
CVE-2016-7047 — CVSS 4.3 (medium): A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults capability…
CVE-2020-1735 — CVSS 4.2 (medium): A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then…
CVE-2017-7497 — CVSS 4.1 (medium): The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the ability…
CVE-2017-2653 — CVSS 4.1 (medium): A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST…
CVE-2020-1739 — CVSS 3.9 (low): A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of…
CVE-2020-1738 — CVSS 3.9 (low): A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task…
CVE-2020-1740 — CVSS 3.9 (low): A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another…
CVE-2020-1736 — CVSS 2.2 (low): A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the…