Author: Cyberthreat Blog

IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.

ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable.