CVE-2009-3552

EUVD-2009-3534

09.11.2019, 03:15

In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.1 LOW	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Affected Products (NVD)

Vendor	Product	Version
redhat	enterprise_virtualization_manager	2.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://access.redhat.com/security/cve/cve-2009-3552

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3552

https://www.securityfocus.com/bid/42639

https://access.redhat.com/security/cve/cve-2009-3552

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3552

https://www.securityfocus.com/bid/42639