Vulnerability Details CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.6%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.0
References
- http://www.securityfocus.com/bid/98769
- http://www.securitytracker.com/id/1038599
- https://access.redhat.com/errata/RHSA-2017:1367
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639
- http://www.securityfocus.com/bid/98769
- http://www.securitytracker.com/id/1038599
- https://access.redhat.com/errata/RHSA-2017:1367
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639
Products affected by CVE-2017-2639
-
cpe:2.3:a:redhat:cloudforms:4.5
-
cpe:2.3:a:redhat:cloudforms_management_engine:5.8