CVE-2021-3494

MEDIUM

Foreman < 2.5.0 - Unauthenticated Man-in-the-Middle Attack via FreeIPA Module

Title source: llm
STIX 2.1

Description

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1948005

Scores

CVSS v3 5.9
EPSS 0.0037
EPSS Percentile 28.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-319
Status published
Products (1)
theforeman/foreman < 2.5.0
Published Apr 26, 2021
Tracked Since Feb 18, 2026