CVE-2017-2639

MEDIUM

Red Hat CloudForms - Improper Certificate Validation for RHEV and OpenShift Connections

Title source: llm
STIX 2.1

Description

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98769
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1367
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038599

Scores

CVSS v3 6.5
EPSS 0.0114
EPSS Percentile 62.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-295
Status published
Products (2)
redhat/cloudforms 4.5
redhat/cloudforms_management_engine 5.8
Published Jul 27, 2018
Tracked Since Feb 18, 2026