| Vulnerability Name: | CVE-2021-3494 (CCN-200776) | ||||||||||||
| Assigned: | 2021-04-16 | ||||||||||||
| Published: | 2021-04-16 | ||||||||||||
| Updated: | 2021-05-04 | ||||||||||||
| Summary: | A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0. | ||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-319 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-3494 Source: CCN Type: Red Hat Bugzilla Bug 1948005 (CVE-2021-3494) - CVE-2021-3494 foreman: possible man-in-the-middle in smart_proxy realm_freeipa Source: MISC Type: Issue Tracking, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1948005 Source: XF Type: UNKNOWN foreman-cve20213494-mitm(200776) Source: CCN Type: smart-proxy GIT Repository Fixes #32288 - verify FreeIPA CA by default and new setting #787 Source: CCN Type: WhiteSource Vulnerability Database CVE-2021-3494 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||