CVE-2021-3494 — MEDIUM (5.9)

Q: How severe is CVE-2021-3494?

CVE-2021-3494 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3494?

Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman.

Vulnerability Description

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Theforeman	Foreman	< 2.5.0

Related Weaknesses (CWE)

CWE-319

References

https://bugzilla.redhat.com/show_bug.cgi?id=1948005Issue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1948005Issue TrackingThird Party Advisory

FAQ

What is CVE-2021-3494?

CVE-2021-3494 is a vulnerability with a CVSS score of 5.9 (MEDIUM). A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not c...

How severe is CVE-2021-3494?

CVE-2021-3494 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3494?

Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Foreman.