Filtered by vendor Redhat
Subscribe
Search
Total
4673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-0184 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-07-08 | 4.9 MEDIUM | N/A |
| Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. | |||||
| CVE-2014-0180 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-07-08 | 5.0 MEDIUM | N/A |
| The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. | |||||
| CVE-2014-0176 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-07-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in application/panel_control in CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-0164 | 1 Redhat | 1 Openshift | 2014-06-30 | 2.1 LOW | N/A |
| openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file. | |||||
| CVE-2014-0202 | 1 Redhat | 1 Rhevm-dwh | 2014-06-26 | 2.1 LOW | N/A |
| The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file. | |||||
| CVE-2011-2514 | 1 Redhat | 2 Icedtea-web, Icedtea6 | 2014-06-25 | 6.8 MEDIUM | N/A |
| The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted. | |||||
| CVE-2011-2513 | 1 Redhat | 2 Icedtea-web, Icedtea6 | 2014-06-25 | 5.0 MEDIUM | N/A |
| The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader. | |||||
| CVE-2013-6491 | 2 Openstack, Redhat | 2 Oslo, Openstack | 2014-06-21 | 4.3 MEDIUM | N/A |
| The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2014-0186 | 1 Redhat | 1 Enterprise Linux | 2014-06-16 | 5.0 MEDIUM | N/A |
| A certain tomcat7 package for Apache Tomcat 7 in Red Hat Enterprise Linux (RHEL) 7 allows remote attackers to cause a denial of service (CPU consumption) via a crafted request. NOTE: this vulnerability exists because of an unspecified regression. | |||||
| CVE-2014-0042 | 1 Redhat | 1 Openstack | 2014-06-03 | 4.3 MEDIUM | N/A |
| OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors. | |||||
| CVE-2014-0041 | 1 Redhat | 1 Openstack | 2014-06-03 | 4.3 MEDIUM | N/A |
| OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets sslverify to false for certain Yum repositories, which disables SSL protection and allows man-in-the-middle attackers to prevent updates via unspecified vectors. | |||||
| CVE-2014-0040 | 1 Redhat | 1 Openstack | 2014-06-03 | 4.3 MEDIUM | N/A |
| OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download (1) packages and (2) signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors. | |||||
| CVE-2013-6470 | 1 Redhat | 1 Openstack | 2014-06-03 | 5.0 MEDIUM | N/A |
| The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid. | |||||
| CVE-2014-0201 | 1 Redhat | 1 Rhevm-reports | 2014-05-30 | 2.1 LOW | N/A |
| ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users to obtain sensitive information by reading the files. | |||||
| CVE-2014-0200 | 1 Redhat | 1 Rhevm-reports | 2014-05-30 | 2.1 LOW | N/A |
| The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows local users to obtain sensitive information by reading the file. | |||||
| CVE-2014-0199 | 1 Redhat | 1 Rhevm-reports | 2014-05-30 | 2.1 LOW | N/A |
| The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file. | |||||
| CVE-2014-0137 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-05-15 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists. | |||||
| CVE-2014-0078 | 1 Redhat | 1 Cloudforms 3.0 Management Engine | 2014-05-15 | 4.0 MEDIUM | N/A |
| The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID. | |||||
| CVE-2014-0149 | 1 Redhat | 1 Jboss Web Framework Kit | 2014-05-06 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Web Framework Kit 2.5.0 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter or (2) id name. | |||||
| CVE-2013-6469 | 1 Redhat | 2 Jboss Fuse Service Works, Jboss Overlord Run Time Governance | 2014-04-22 | 6.5 MEDIUM | N/A |
| JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2014-0071 | 1 Redhat | 1 Openstack | 2014-04-17 | 6.4 MEDIUM | N/A |
| PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections. | |||||
| CVE-2013-2143 | 2 Katello, Redhat | 2 Katello, Network Satellite | 2014-04-17 | 6.5 MEDIUM | N/A |
| The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account. | |||||
| CVE-2013-6468 | 1 Redhat | 3 Jboss Bpm Suite, Jboss Drools, Jboss Enterprise Brms Platform | 2014-04-11 | 6.5 MEDIUM | N/A |
| JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. | |||||
| CVE-2012-0032 | 1 Redhat | 1 Jboss Operations Network | 2014-04-01 | 3.7 LOW | N/A |
| Red Hat JBoss Operations Network (JON) before 3.0.1 uses 0777 permissions for the root directory when installing a remote client, which allows local users to read or modify subdirectories and files within the root directory, as demonstrated by obtaining JON credentials. | |||||
| CVE-2011-4573 | 1 Redhat | 1 Jboss Operations Network | 2014-04-01 | 3.5 LOW | N/A |
| Red Hat JBoss Operations Network (JON) before 2.4.2 does not properly enforce "modify resource" permissions for remote authenticated users when deleting a plug-in configuration update from the group connection properties history, which prevents such activities from being recorded in the audit trail. | |||||
| CVE-2011-3346 | 3 Qemu, Redhat, Xen | 3 Qemu, Enterprise Linux, Xen | 2014-04-01 | 4.0 MEDIUM | N/A |
| Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. | |||||
| CVE-2013-7347 | 1 Redhat | 2 Conga, Enterprise Linux | 2014-03-31 | 3.7 LOW | N/A |
| Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __ac session cookie. NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2012-3359 for the base64-encoded storage of the user and password in a cookie. | |||||
| CVE-2012-3359 | 1 Redhat | 2 Conga, Enterprise Linux | 2014-03-31 | 3.7 LOW | N/A |
| Luci in Red Hat Conga stores the user's username and password in a Base64 encoded string in the __ac session cookie, which allows attackers to gain privileges by accessing this cookie. NOTE: this issue has been SPLIT due to different vulnerability types. Use CVE-2013-7347 for the incorrect enforcement of a user timeout. | |||||
| CVE-2014-0057 | 1 Redhat | 2 Cloudforms, Cloudforms 3.0 Management Engine | 2014-03-19 | 7.5 HIGH | N/A |
| The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors. | |||||
| CVE-2013-6493 | 1 Redhat | 1 Icedtea-web | 2014-03-16 | 2.1 LOW | N/A |
| The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp. | |||||
| CVE-2011-2941 | 1 Redhat | 1 Jboss Enterprise Portal Platform | 2014-03-10 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the initialURI parameter. | |||||
| CVE-2011-4580 | 1 Redhat | 1 Jboss Enterprise Portal Platform | 2014-03-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss Enterprise Portal Platform before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-4112 | 2 Jgroups, Redhat | 2 Jgroup, Jboss Enterprise Application Platform | 2014-03-08 | 5.4 MEDIUM | N/A |
| The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. | |||||
| CVE-2013-1921 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2014-03-08 | 1.9 LOW | N/A |
| PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | |||||
| CVE-2011-4085 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Portal Platform and 1 more | 2014-03-06 | 6.8 MEDIUM | N/A |
| The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. | |||||
| CVE-2011-4610 | 1 Redhat | 4 Jboss Communications Platform, Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform and 1 more | 2014-03-06 | 5.0 MEDIUM | N/A |
| JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." | |||||
| CVE-2011-3590 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, includes all of root's SSH private keys within a vmcore file, which allows context-dependent attackers to obtain sensitive information by inspecting the file content. | |||||
| CVE-2011-3588 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The SSH configuration in the Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, disables the StrictHostKeyChecking option, which allows man-in-the-middle attackers to spoof kdump servers, and obtain sensitive core information, by using an arbitrary SSH key. | |||||
| CVE-2011-3589 | 1 Redhat | 1 Kexec-tools | 2014-03-06 | 5.7 MEDIUM | N/A |
| The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key. | |||||
| CVE-2011-1594 | 1 Redhat | 2 Network Satellite, Spacewalk | 2014-02-25 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url_bounce parameter. | |||||
| CVE-2011-2927 | 1 Redhat | 2 Network Satellite, Spacewalk | 2014-02-25 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allow remote attackers to inject arbitrary web script or HTML via vectors related to Search forms. | |||||
| CVE-2011-3344 | 1 Redhat | 2 Network Satellite, Spacewalk | 2014-02-25 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Lookup Login/Password form in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to inject arbitrary web script or HTML via the URI. | |||||
| CVE-2011-2920 | 1 Redhat | 2 Network Satellite, Spacewalk | 2014-02-25 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allow remote attackers to inject arbitrary web script or HTML via the "Filter by Synopsis" field and other unspecified filter forms. | |||||
| CVE-2011-2919 | 1 Redhat | 2 Network Satellite, Spacewalk | 2014-02-25 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Spacewalk 1.6, as used in Red Hat Network (RHN) Satellite, allows remote attackers to inject arbitrary web script or HTML via the QueryString to the SystemGroupList.do page. | |||||
| CVE-2011-3206 | 2 Redhat, Rhq-project | 2 Jboss Operations Network, Rhq | 2014-02-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in RHQ 4.2.0, as used in JBoss Operations Network (aka JON or JBoss ON) before 3.0, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2011-4083 | 1 Redhat | 1 Sos | 2014-02-19 | 4.3 MEDIUM | N/A |
| The sosreport utility in the Red Hat sos package before 1.7-9 and 2.x before 2.2-17 includes (1) Certificate-based Red Hat Network private entitlement keys and the (2) private key for the entitlement in an archive of debugging information, which might allow remote attackers to obtain sensitive information by reading the archive. | |||||
| CVE-2012-1100 | 1 Redhat | 1 Jboss Operations Network | 2014-02-14 | 5.8 MEDIUM | N/A |
| Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request. | |||||
| CVE-2012-0062 | 1 Redhat | 1 Jboss Operations Network | 2014-02-14 | 5.8 MEDIUM | N/A |
| Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token. | |||||
| CVE-2012-0052 | 1 Redhat | 1 Jboss Operations Network | 2014-02-14 | 5.8 MEDIUM | N/A |
| Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 does not check the JON agent key, which allows remote attackers to spoof the identity of arbitrary agents via the registered agent name. | |||||
| CVE-2011-4930 | 3 Condor Project, Fedoraproject, Redhat | 3 Condor, Fedora, Enterprise Mrg | 2014-02-10 | 4.4 MEDIUM | N/A |
| Multiple format string vulnerabilities in Condor 7.2.0 through 7.6.4, and possibly certain 7.7.x versions, as used in Red Hat MRG Grid and possibly other products, allow local users to cause a denial of service (condor_schedd daemon and failure to launch jobs) and possibly execute arbitrary code via format string specifiers in (1) the reason for a hold for a job that uses an XML user log, (2) the filename of a file to be transferred, and possibly other unspecified vectors. | |||||