CVE-2021-3494

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-3494

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3494.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-3494

Related

RHSA-2021:4702

Published

2021-04-26T15:15:07Z

Modified

2024-10-12T07:43:01.162927Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1948005

Affected packages

Git / github.com/theforeman/foreman

Affected ranges

Type: GIT
Repo: https://github.com/theforeman/foreman
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4cb58d3daed9474d7e348df218574ac418a3dfd8

Type: GIT
Repo: https://github.com/theforeman/foreman-installer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0ecc28870a830e2e0d788a468f04958f17db92c9

Type: GIT
Repo: https://github.com/theforeman/smart-proxy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9db8be445d447b3e0d1007f188ce32c89b20da78

Affected versions

0.*

0.1

0.1-1

0.1-2

0.1-3

0.1-4

0.1-5

0.1-6

0.2

0.2rc1

0.2rc2

0.3

0.3.1

0.4

0.4rc2

0.4rc3

0.4rc4

0.4rc5

1.*

1.0

1.0.1

1.0RC1

1.0RC2

1.0RC3

1.0RC4

1.0RC5

1.1

1.1RC1

1.1RC2

1.1RC3

1.1RC4

1.1RC5

2.*

2.5.0-rc1

2.5.0-rc2

2.5.0-rc3