CVE-2015-3908

Ansible < 1.9.2 - Insufficient Verification of Data Authenticity in X.509 Certificate

Title source: llm
STIX 2.1

Description

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References (5)

Core 5
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/07/14/4
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html
Vendor Advisory x_refsource_confirm
http://www.ansible.com/security
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-08/msg00029.html
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html

Scores

EPSS 0.0093
EPSS Percentile 56.0%

Details

CWE
CWE-345
Status published
Products (2)
pypi/ansible 0 - 1.9.2PyPI
redhat/ansible < 1.9.1
Published Aug 12, 2015
Tracked Since Feb 18, 2026