CVE-2015-1816
published 2015-08-14CVE-2015-1816: Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted…
PriorityP419medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
0.94%
56.5th percentile
Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | <= 1.7.3 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
foreman: lack of SSL certificate validation when performing LDAPS authentication
vendor_redhat·2015-02-19·CVSS 5.0
CVE-2015-1816 [MEDIUM] CWE-295 foreman: lack of SSL certificate validation when performing LDAPS authentication
foreman: lack of SSL certificate validation when performing LDAPS authentication
Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate.
It was found that when making an SSL connection to an LDAP authentication source in Foreman, the remote server certificate was accepted without any verification against known certificate authorities, potentially making TLS connections vulnerable to man-in-the-middle attacks.
Package: foreman (OpenStack Foreman) - Will not fix
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Will not fix
Package: foreman (Red Hat OpenStack Platform 4) - Will not fix
GHSA
GHSA-gjcw-j8fh-6j22: Forman before 1
ghsa_unreviewed·2022-05-14
CVE-2015-1816 [MEDIUM] GHSA-gjcw-j8fh-6j22: Forman before 1
Forman before 1.7.4 does not verify SSL certificates for LDAP connections, which allows man-in-the-middle attackers to spoof LDAP servers via a crafted certificate.
No detection rules found.
No public exploits indexed.
http://projects.theforeman.org/issues/9858https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://github.com/theforeman/foreman/pull/2265https://groups.google.com/forum/#%21topic/foreman-announce/9ZnuPcplNLIhttp://projects.theforeman.org/issues/9858https://access.redhat.com/errata/RHSA-2015:1591https://access.redhat.com/errata/RHSA-2015:1592https://github.com/theforeman/foreman/pull/2265https://groups.google.com/forum/#%21topic/foreman-announce/9ZnuPcplNLI
2015-08-14
Published