GitHub Advisory DatabaseGHSA-77H8-XR85-3X5Qhammer_cli_foreman Improper Certificate Validation vulnerability
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.3%
Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.
| CPE | Name | Operator | Version |
|---|---|---|---|
| hammer_cli_foreman | lt | 0.10.0 |
References
projects.theforeman.org/issues/19033
www.securityfocus.com/bid/97153
access.redhat.com/errata/RHSA-2018:0336
bugzilla.redhat.com/show_bug.cgi?id=1436262
github.com/advisories/GHSA-77h8-xr85-3x5q
github.com/rubysec/ruby-advisory-db/blob/master/gems/hammer_cli_foreman/CVE-2017-2667.yml
nvd.nist.gov/vuln/detail/CVE-2017-2667
web.archive.org/web/20200227181720/www.securityfocus.com/bid/97153
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.3%