CVE-2021-3494
Last modified
CVE-2021-3494 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Theforeman | Foreman | < 2.5.0 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1948005Issue Tracking, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1948005Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-3494?
How severe is CVE-2021-3494?
How do I fix CVE-2021-3494?
Are you affected by CVE-2021-3494?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST