CVE-2014-3691

high

Published 2015-03-09 · Modified 2026-05-06

CVSS v3

—

CVSS v2

7.5

VIR risk

7.5

Description

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/theforeman/smart-proxy/pull/217

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://projects.theforeman.org/issues/7822

Application impact

Vendor	Product	Versions
redhat	openstack	`4.0`
redhat	openstack	`5.0`
theforeman	foreman	`{"endIncluding":"1.5.3"}`
theforeman	foreman	`1.6.0`
theforeman	foreman	`1.6.1`

References

http://projects.theforeman.org/issues/7822
http://rhn.redhat.com/errata/RHSA-2015-0287.html
http://rhn.redhat.com/errata/RHSA-2015-0288.html
https://github.com/theforeman/smart-proxy/pull/217
https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo
http://projects.theforeman.org/issues/7822
http://rhn.redhat.com/errata/RHSA-2015-0287.html
http://rhn.redhat.com/errata/RHSA-2015-0288.html
https://github.com/theforeman/smart-proxy/pull/217
https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo

CWEs

CWE-310

Verify integrity in audit chain (admin only). AS-IS.