Published: 09/03/2015 Updated: 13/02/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman prior to 1.5.4 and 1.6.x prior to 1.6.2 does not validate SSL certificates, which allows remote malicious users to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat openstack 4.0
redhat openstack 5.0
theforeman foreman
theforeman foreman 1.6.0
theforeman foreman 1.6.1

Synopsis Important: foreman-proxy security update Type/Severity Security Advisory: Important Topic Updated foreman-proxy packages that fix one security issue are nowavailable for Red Hat Enterprise Linux OpenStack Platform 40Red Hat Product Security has rated this update as having Important securityimpact ...

Synopsis Important: foreman-proxy security update Type/Severity Security Advisory: Important Topic Updated foreman-proxy packages that fix one security issue are nowavailable for Red Hat Enterprise Linux OpenStack Platform ForemanRed Hat Product Security has rated this update as having Important securityim ...

It was discovered that foreman-proxy, when running in SSL-secured mode, did not correctly verify SSL client certificates This could permit any client with access to the API to make requests and perform actions otherwise restricted ...

CWE-310 https://github.com/theforeman/smart-proxy/pull/217 http://rhn.redhat.com/errata/RHSA-2015-0287.html http://rhn.redhat.com/errata/RHSA-2015-0288.html http://projects.theforeman.org/issues/7822 https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo https://access.redhat.com/errata/RHSA-2015:0288 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-3691

CVE-2014-3691

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect