CVE-2017-2639

Published: Jul 27, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.

Affected (2)

Products: Redhat: Cloudforms, Cloudforms Management Engine

2 products

Cloudforms Management Engine

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Cloudforms	Version 4.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Cloudforms Management Engine	Version 5.8

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (8)

http://www.securityfocus.com/bid/98769

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038599

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1367

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639

Source: secalert@redhat.com

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/98769

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038599

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:1367

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.