CVE-2021-3494

{"id": "CVE-2021-3494", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2021-04-26T15:15:07.900", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948005", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0."}, {"lang": "es", "value": "Un proxy inteligente que proporciona una API restful a varios subsistemas del Foreman est\u00e1 afectado por un fallo que puede causar un ataque de tipo Man-in-the-Middle. El m\u00f3dulo FreeIPA del proxy inteligente Foreman no comprueba el certificado SSL, por lo tanto, un atacante no autenticado puede llevar a cabo acciones en FreeIPA si determinadas condiciones se cumplen. La mayor amenaza de este fallo es la confidencialidad del sistema. Esta fallo afecta a Foreman versiones anteriores a 2.5.0."}], "lastModified": "2021-05-04T14:14:43.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theforeman:foreman:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D57AF33-980D-4529-8606-1D5850224D1B", "versionEndExcluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}