CVE-2015-5152Sensitive Information Exposure in Foreman

CWE-200Sensitive Information ExposureCWE-319Cleartext Transmission of Sensitive Info5 documents5 sources
Severity
8.1HIGHNVD
EPSS
0.3%
top 47.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Theforeman Foreman
Timeline
PublishedJul 17
Latest updateMay 17

Description

Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

NVDtheforeman/foreman30 versions+29

🔴Vulnerability Details

2
GHSA
GHSA-f78j-3cq3-m6p4: Foreman after 12022-05-17
CVEList
CVE-2015-5152: Foreman after 12017-07-14

📋Vendor Advisories

1
Red Hat
Foreman: API permits HTTP requests when require_ssl is enabled2015-07-15

💬Community

1
Bugzilla
CVE-2015-5152 Foreman: API permits HTTP requests when require_ssl is enabled2015-07-15
CVE-2015-5152 — Sensitive Information Exposure | cvebase