CVE-2015-5152
high
CVSS v3
8.1
CVSS v2
4.3
VIR risk
8.1
Description
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
Predictions
Exploit likelihood
88%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1243571
Vendor advisory: secalert@redhat.com — http://projects.theforeman.org/issues/11119
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| theforeman | foreman | 1.1-1 | |
| theforeman | foreman | 1.2.0 | |
| theforeman | foreman | 1.2.1 | |
| theforeman | foreman | 1.2.2 | |
| theforeman | foreman | 1.2.3 | |
| theforeman | foreman | 1.3.0 | |
| theforeman | foreman | 1.3.1 | |
| theforeman | foreman | 1.3.2 | |
| theforeman | foreman | 1.4.0 | |
| theforeman | foreman | 1.4.1 | |
| theforeman | foreman | 1.4.2 | |
| theforeman | foreman | 1.4.3 | |
| theforeman | foreman | 1.4.4 | |
| theforeman | foreman | 1.4.5 | |
| theforeman | foreman | 1.5.0 | |
| theforeman | foreman | 1.5.1 | |
| theforeman | foreman | 1.5.2 | |
| theforeman | foreman | 1.5.3 | |
| theforeman | foreman | 1.6.0 | |
| theforeman | foreman | 1.6.1 | |
| theforeman | foreman | 1.7.0 | |
| theforeman | foreman | 1.7.1 | |
| theforeman | foreman | 1.7.2 | |
| theforeman | foreman | 1.7.3 | |
| theforeman | foreman | 1.7.4 | |
| theforeman | foreman | 1.7.5 | |
| theforeman | foreman | 1.8.0 | |
| theforeman | foreman | 1.8.1 | |
| theforeman | foreman | 1.8.2 | |
| theforeman | foreman | 1.8.3 | |
References
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.