CVE-2021-3494

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3494
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3494.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-3494
Related
Published
2021-04-26T15:15:07Z
Modified
2024-10-12T07:43:01.162927Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

References

Affected packages

Git / github.com/theforeman/foreman

Affected ranges

Type
GIT
Repo
https://github.com/theforeman/foreman
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/theforeman/foreman-installer
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/theforeman/smart-proxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1
0.1-1
0.1-2
0.1-3
0.1-4
0.1-5
0.1-6
0.2
0.2rc1
0.2rc2
0.3
0.3.1
0.4
0.4rc2
0.4rc3
0.4rc4
0.4rc5

1.*

1.0
1.0.1
1.0RC1
1.0RC2
1.0RC3
1.0RC4
1.0RC5
1.1
1.1RC1
1.1RC2
1.1RC3
1.1RC4
1.1RC5

2.*

2.5.0-rc1
2.5.0-rc2
2.5.0-rc3