CVE-2014-3691 - Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does

CVE-2014-3691

Summary

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

References

Vulnerable Configurations

cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:5.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:-:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:-:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.2:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.1:rc5:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.0:rc4:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:-:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.0:rc2:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:theforeman:foreman:1.6.1:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 13-02-2023 - 00:42)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa
id RHSA-2015:0287
rhsa
id RHSA-2015:0288

rpms

foreman-0:1.6.0.51-1.el6sat
foreman-0:1.6.0.51-1.el7sat
foreman-compute-0:1.6.0.51-1.el6sat
foreman-compute-0:1.6.0.51-1.el7sat
foreman-gce-0:1.6.0.51-1.el6sat
foreman-gce-0:1.6.0.51-1.el7sat
foreman-libvirt-0:1.6.0.51-1.el6sat
foreman-libvirt-0:1.6.0.51-1.el7sat
foreman-ovirt-0:1.6.0.51-1.el6sat
foreman-ovirt-0:1.6.0.51-1.el7sat
foreman-postgresql-0:1.6.0.51-1.el6sat
foreman-postgresql-0:1.6.0.51-1.el7sat
foreman-proxy-0:1.6.0.33-1.el6sat
foreman-proxy-0:1.6.0.33-1.el7sat
foreman-vmware-0:1.6.0.51-1.el6sat
foreman-vmware-0:1.6.0.51-1.el7sat
katello-agent-0:1.5.3-7.el6sat
katello-agent-0:1.5.3-7.el7sat
katello-installer-0:0.0.67-1.el6sat
katello-installer-0:0.0.67-1.el7sat
pulp-admin-client-0:2.4.4-1.el6sat
pulp-admin-client-0:2.4.4-1.el7sat
pulp-nodes-child-0:2.4.4-1.el6sat
pulp-nodes-child-0:2.4.4-1.el7sat
pulp-nodes-common-0:2.4.4-1.el6sat
pulp-nodes-common-0:2.4.4-1.el7sat
pulp-nodes-parent-0:2.4.4-1.el6sat
pulp-nodes-parent-0:2.4.4-1.el7sat
pulp-puppet-admin-extensions-0:2.4.4-1.el6sat
pulp-puppet-admin-extensions-0:2.4.4-1.el7sat
pulp-puppet-plugins-0:2.4.4-1.el6sat
pulp-puppet-plugins-0:2.4.4-1.el7sat
pulp-puppet-tools-0:2.4.4-1.el6sat
pulp-puppet-tools-0:2.4.4-1.el7sat
pulp-rpm-admin-extensions-0:2.4.4-1.1.el6sat
pulp-rpm-admin-extensions-0:2.4.4-1.1.el7sat
pulp-rpm-handlers-0:2.4.4-1.1.el6sat
pulp-rpm-handlers-0:2.4.4-1.1.el7sat
pulp-rpm-plugins-0:2.4.4-1.1.el6sat
pulp-rpm-plugins-0:2.4.4-1.1.el7sat
pulp-selinux-0:2.4.4-1.el6sat
pulp-selinux-0:2.4.4-1.el7sat
pulp-server-0:2.4.4-1.el6sat
pulp-server-0:2.4.4-1.el7sat
python-pulp-agent-lib-0:2.4.4-1.el6sat
python-pulp-agent-lib-0:2.4.4-1.el7sat
python-pulp-bindings-0:2.4.4-1.el6sat
python-pulp-bindings-0:2.4.4-1.el7sat
python-pulp-client-lib-0:2.4.4-1.el6sat
python-pulp-client-lib-0:2.4.4-1.el7sat
python-pulp-common-0:2.4.4-1.el6sat
python-pulp-common-0:2.4.4-1.el7sat
python-pulp-puppet-common-0:2.4.4-1.el6sat
python-pulp-puppet-common-0:2.4.4-1.el7sat
python-pulp-rpm-common-0:2.4.4-1.1.el6sat
python-pulp-rpm-common-0:2.4.4-1.1.el7sat
ruby193-rubygem-fog-0:1.21.0-3.2.el6sat
ruby193-rubygem-fog-0:1.21.0-3.2.el7sat
ruby193-rubygem-foreman-tasks-0:0.6.9-1.2.el6sat
ruby193-rubygem-foreman-tasks-0:0.6.9-1.2.el7sat
foreman-proxy-0:1.6.0.33-2.el6ost
foreman-proxy-0:1.3.0-7.el6ost

refmap via4

confirm

Last major update

13-02-2023 - 00:42

Published

09-03-2015 - 14:59

Last modified

13-02-2023 - 00:42