CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3494 – foreman: possible man-in-the-middle in smart_proxy realm_freeipa
https://notcve.org/view.php?id=CVE-2021-3494
A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0. Un proxy inteligente que proporciona una API restful a varios subsistemas del Foreman está afectado por un fallo que puede causar un ataque de tipo Man-in-the-Middle. • https://bugzilla.redhat.com/show_bug.cgi?id=1948005 https://access.redhat.com/security/cve/CVE-2021-3494 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0CVE-2019-3893 – foreman: Recover of plaintext password or token for the compute resources
https://notcve.org/view.php?id=CVE-2019-3893
In Foreman it was discovered that the delete compute resource operation, when executed from the Foreman API, leads to the disclosure of the plaintext password or token for the affected compute resource. A malicious user with the "delete_compute_resource" permission can use this flaw to take control over compute resources managed by foreman. Versions before 1.20.3, 1.21.1, 1.22.0 are vulnerable. En Foreman se descubrió que la operación de eliminar recursos de cálculo, cuando se ejecuta desde la API de Foreman, conduce a la revelación de la contraseña de texto plano o token para el recurso de cálculo afectado. Un usuario malicioso con el permiso "delete_compute_resource" puede utilizar este fallo para tomar el control de los recursos de cálculo gestionados por Foreman. • http://www.openwall.com/lists/oss-security/2019/04/14/2 http://www.securityfocus.com/bid/107846 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3893 https://github.com/theforeman/foreman/pull/6621 https://projects.theforeman.org/issues/26450 https://access.redhat.com/security/cve/CVE-2019-3893 https://bugzilla.redhat.com/show_bug.cgi?id=1696400 • CWE-732: Incorrect Permission Assignment for Critical Resource •