CVE-2015-5263

EUVD-2015-5249
pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
pulpprojectpulp
2.4.0
pulpprojectpulp
2.4.1
pulpprojectpulp
2.4.2
pulpprojectpulp
2.4.3
pulpprojectpulp
2.4.4
pulpprojectpulp
2.5.0
pulpprojectpulp
2.5.1
pulpprojectpulp
2.5.2
pulpprojectpulp
2.5.3
pulpprojectpulp
2.6.0
pulpprojectpulp
2.6.1
pulpprojectpulp
2.6.2
pulpprojectpulp
2.6.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://cve.killedkenny.io/cve/CVE-2015-5263
http://www.openwall.com/lists/oss-security/2015/09/24/4
https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103
https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754
http://cve.killedkenny.io/cve/CVE-2015-5263
http://www.openwall.com/lists/oss-security/2015/09/24/4
https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/client_consumer/pulp/client/consumer/cli.py#L103
https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#diff-17110211f89c042a9267e2167dedd754