CVE-2014-3691

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
redhatopenstack
4.0
redhatopenstack
5.0
theforemanforeman
𝑥
≤ 1.5.3
theforemanforeman
1.6.0
theforemanforeman
1.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://projects.theforeman.org/issues/7822
http://rhn.redhat.com/errata/RHSA-2015-0287.html
http://rhn.redhat.com/errata/RHSA-2015-0288.html
https://github.com/theforeman/smart-proxy/pull/217
https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo
http://projects.theforeman.org/issues/7822
http://rhn.redhat.com/errata/RHSA-2015-0287.html
http://rhn.redhat.com/errata/RHSA-2015-0288.html
https://github.com/theforeman/smart-proxy/pull/217
https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo