CVE-2015-5263

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
pulpprojectpulp
2.4.0
pulpprojectpulp
2.4.1
pulpprojectpulp
2.4.2
pulpprojectpulp
2.4.3
pulpprojectpulp
2.4.4
pulpprojectpulp
2.5.0
pulpprojectpulp
2.5.1
pulpprojectpulp
2.5.2
pulpprojectpulp
2.5.3
pulpprojectpulp
2.6.0
pulpprojectpulp
2.6.1
pulpprojectpulp
2.6.2
pulpprojectpulp
2.6.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://cve.killedkenny.io/cve/CVE-2015-5263
http://www.openwall.com/lists/oss-security/2015/09/24/4
https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103
https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754
http://cve.killedkenny.io/cve/CVE-2015-5263
http://www.openwall.com/lists/oss-security/2015/09/24/4
https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103
https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754