CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
35.2%
The remote-viewer in Red Hat Enterprise Virtualization Manager (RHEV-M)
before 3.3, when using a native SPICE client invocation method, initially
makes insecure connections to the SPICE server, which allows
man-in-the-middle attackers to spoof the SPICE server.
Author | Note |
---|---|
seth-arnold | Insufficient details were provided to determine where the fault is – the Red Hat update is to their rhevm package – so I’ve marked spice as the involved package until this can be researched further. |
mdeslaur | possibly https://github.com/oVirt/ovirt-engine/commit/f39cf23b6fedc924d054e3178242388e52a3c7ed likely rhevm specific |