Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Redhat Subscribe
Total 5151 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-0314 1 Redhat 1 Jboss Enterprise Portal Platform 2013-04-14 7.5 HIGH N/A
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.
CVE-2013-0315 1 Redhat 1 Jboss Enterprise Portal Platform 2013-04-14 5.0 MEDIUM N/A
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.
CVE-2012-6120 1 Redhat 2 Openstack Essex, Openstack Folsom 2013-04-10 2.1 LOW N/A
Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directory with world-readable permissions, which allows local users to obtain sensitive information such as Puppet log files.
CVE-2012-6119 2 Candlepinproject, Redhat 2 Candlepin, Subscription Asset Manager 2013-04-02 2.1 LOW N/A
Candlepin before 0.7.24, as used in Red Hat Subscription Asset Manager before 1.2.1, does not properly check manifest signatures, which allows local users to modify manifests.
CVE-2012-3445 1 Redhat 1 Libvirt 2013-03-21 3.5 LOW N/A
The virTypedParameterArrayClear function in libvirt 0.9.13 does not properly handle virDomain* API calls with typed parameters, which might allow remote authenticated users to cause a denial of service (libvirtd crash) via an RPC command with nparams set to zero, which triggers an out-of-bounds read or a free of an invalid pointer.
CVE-2013-1766 1 Redhat 1 Libvirt 2013-03-21 3.6 LOW N/A
libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to write to these files via unspecified vectors.
CVE-2012-5659 1 Redhat 1 Automatic Bug Reporting Tool 2013-03-18 3.7 LOW N/A
Untrusted search path vulnerability in plugins/abrt-action-install-debuginfo-to-abrt-cache.c in Automatic Bug Reporting Tool (ABRT) 2.0.9 and earlier allows local users to load and execute arbitrary Python modules by modifying the PYTHONPATH environment variable to reference a malicious Python module.
CVE-2012-6117 1 Redhat 1 Cloudforms Cloud Engine 2013-03-17 2.1 LOW N/A
Aeolus Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for /var/log/aeolus-configserver/configserver.log, which allows local users to read plaintext passwords by reading the log file.
CVE-2012-6118 1 Redhat 1 Aeolus Conductor 2013-03-17 5.5 MEDIUM N/A
The Administer tab in Aeolus Conductor allows remote authenticated users to bypass intended quota restrictions by updating the Maximum Running Instances quota user setting.
CVE-2012-4543 1 Redhat 1 Certificate System 2013-03-07 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Certificate System (RHCS) before 8.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) pageStart or (2) pageSize to the displayCRL script, or (3) nonce variable to the profileProcess script.
CVE-2012-5647 1 Redhat 2 Openshift, Openshift Origin 2013-02-25 5.8 MEDIUM N/A
Open redirect vulnerability in node-util/www/html/restorer.php in Red Hat OpenShift Origin before 1.0.5-3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the PATH_INFO.
CVE-2012-5658 1 Redhat 2 Openshift, Openshift Origin 2013-02-25 2.1 LOW N/A
rhc-chk.rb in Red Hat OpenShift Origin before 1.1, when -d (debug mode) is used, outputs the password and other sensitive information in cleartext, which allows context-dependent attackers to obtain sensitive information, as demonstrated by including log files or Bugzilla reports in support channels.
CVE-2011-4314 3 Kay Framework Project, Openid, Redhat 3 Kay Framework, Openid4java, Jboss Enterprise Application Platform 2013-02-14 5.8 MEDIUM N/A
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
CVE-2012-5484 1 Redhat 1 Freeipa 2013-02-06 7.9 HIGH N/A
The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly obtain the Certification Authority (CA) certificate from the server, which allows man-in-the-middle attackers to spoof a join procedure via a crafted certificate.
CVE-2012-5531 1 Redhat 1 Jboss Enterprise Portal Platform 2013-01-18 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the GateIn Portal in JBoss Enterprise Portal Platform 5.2.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-2793 1 Redhat 2 Enterprise Virtualization Manager, Spice-activex 2013-01-15 6.8 MEDIUM N/A
Race condition in the SPICE (aka spice-activex) plug-in for Internet Explorer in Red Hat Enterprise Virtualization (RHEV) Manager before 2.2.4 allows local users to create a certain named pipe, and consequently gain privileges, via vectors involving knowledge of the name of this named pipe, in conjunction with use of the ImpersonateNamedPipeClient function.
CVE-2010-2224 1 Redhat 1 Enterprise Virtualization Manager 2013-01-14 2.1 LOW N/A
The snapshot merging functionality in Red Hat Enterprise Virtualization Manager (aka RHEV-M) before 2.2 does not properly pass the postzero parameter during operations on deleted volumes, which allows guest OS users to obtain sensitive information by examining the disk blocks associated with a deleted virtual machine.
CVE-2012-4549 1 Redhat 1 Jboss Enterprise Application Platform 2013-01-14 5.8 MEDIUM N/A
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
CVE-2012-4556 1 Redhat 1 Certificate System 2013-01-14 4.0 MEDIUM N/A
The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 allows remote attackers to cause a denial of service (Apache httpd web server child process restart) via certain unspecified empty search fields in a user certificate search query.
CVE-2012-2693 1 Redhat 1 Libvirt 2013-01-14 3.7 LOW N/A
libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices.