CVE-2015-3908 — Insufficient Verification of Data Authenticity in Redhat Ansible

CWE-345 — Insufficient Verification of Data Authenticity11 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 55.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedAug 12

Latest updateMar 28

Description

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶PyPIredhat/ansible< 1.9.2

▶Debianredhat/ansible< 1.9.2+dfsg-1+3

▶Ubunturedhat/ansible< 1.5.4+dfsg-1ubuntu0.1~esm3+3

▶NVDredhat/ansible1.9.1

🔴Vulnerability Details

OSV

ansible regression↗2025-03-28

▶

OSV

ansible vulnerabilities↗2025-03-05

▶

OSV

Ansible does not verify that the server hostname matches a domain name in certificates↗2018-10-10

▶

GHSA

Ansible does not verify that the server hostname matches a domain name in certificates↗2018-10-10

▶

OSV

CVE-2015-3908: Ansible before 1↗2015-08-12

▶

📋Vendor Advisories

Ubuntu

Ansible vulnerabilities↗2025-03-05

▶

Red Hat

ansible: multiple issues fixed in 1.9.2↗2015-06-19

▶

Debian

CVE-2015-3908: ansible - Ansible before 1.9.2 does not verify that the server hostname matches a domain n...↗2015

▶

💬Community

Bugzilla

CVE-2015-6240 CVE-2015-3908 ansible: multiple issues fixed in 1.9.2↗2015-07-15

▶