CVE-2017-2639

CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.5HIGH

EPSS

0.5%

top 35.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

[unknown] Cloudforms Redhat Cloudforms Redhat Cloudforms Management Engine

Timeline

PublishedJul 27

Latest updateMay 13

Description

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/cloudforms4.5

▶CVEListV5[unknown]/cloudformsn/a

▶NVDredhat/cloudforms_management_engine5.8

🔴Vulnerability Details

GHSA

GHSA-gmm6-vqjm-5p45: It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicat↗2022-05-13

▶

CVEList

CVE-2017-2639: It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicat↗2018-07-27

▶

📋Vendor Advisories

Red Hat

CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA↗2017-05-31

▶

💬Community

Bugzilla

CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA↗2017-03-06

▶