4.3
CVE-2015-3908
- EPSS 0.93%
- Veröffentlicht 12.08.2015 14:59:21
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.93% | 0.56 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
http://www.ansible.com/security
http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html
http://lists.opensuse.org/opensuse-updates/2015-08/msg00029.html
http://www.openwall.com/lists/oss-security/2015/07/14/4
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html