CVE-2015-5152
published 2017-07-17CVE-2015-5152: Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to…
PriorityP338high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
1.51%
71.3th percentile
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
| theforeman | foreman | — | — |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Foreman: API permits HTTP requests when require_ssl is enabled
vendor_redhat·2015-07-15·CVSS 8.1
CVE-2015-5152 [HIGH] CWE-319 Foreman: API permits HTTP requests when require_ssl is enabled
Foreman: API permits HTTP requests when require_ssl is enabled
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
Statement: This issue affects the versions of foreman as shipped with Red Hat Satellite 6 and OpenStack. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: foreman (OpenStack Foreman) - Affected
Package: foreman (Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer) - Affected
GHSA
GHSA-f78j-3cq3-m6p4: Foreman after 1
ghsa_unreviewed·2022-05-17
CVE-2015-5152 [HIGH] CWE-200 GHSA-f78j-3cq3-m6p4: Foreman after 1
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
No detection rules found.
No public exploits indexed.
2017-07-17
Published