CVE-2014-3691 — Improper Certificate Validation in Foreman

CWE-310 CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 66.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Theforeman Foreman Redhat Openstack

Timeline

PublishedMar 9

Latest updateMay 14

Description

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDtheforeman/foreman1.5.3+2

▶NVDredhat/openstack4.0, 5.0+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-m4h9-hcv2-hw6h: Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1↗2022-05-14

▶

CVEList

CVE-2014-3691: Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1↗2015-03-09

▶

📋Vendor Advisories

Red Hat

foreman-proxy: failure to verify SSL certificates↗2014-10-06

▶

💬Community

Bugzilla

CVE-2014-3691 foreman-proxy: failure to verify SSL certificates↗2014-10-09

▶