CVE-2021-3494
First published: Fri Apr 09 2021(Updated: )
A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/foreman | <2.5.0 | 2.5.0 |
| Theforeman Foreman | <2.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-3494.
What is the severity of CVE-2021-3494?
The severity of CVE-2021-3494 is medium with a severity value of 5.9.
What is the affected software version?
The affected software version is Foreman up to version 2.5.0.
How does CVE-2021-3494 affect the smart proxy?
CVE-2021-3494 affects the smart proxy by allowing a Man-in-the-Middle attack through the FreeIPA module.
Is authentication required to exploit CVE-2021-3494?
No, authentication is not required to exploit CVE-2021-3494.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3494
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/theforeman
- canonical/theforeman foreman
- package-manager/redhat