CVE-2021-3494

EPSS 0.25%
Published 26.04.2021 15:15:07
Last modified 21.11.2024 06:21:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Theforeman ≫ Foreman Version < 2.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.25%	0.452

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://bugzilla.redhat.com/show_bug.cgi?id=1948005

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2021-3494

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3494

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3494

EUVD