CVE-2017-2667

Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.

Published: Mar 12, 2018
Updated: Jan 27, 2024
CVE: CVE-2017-2667
GHSA: GHSA-77h8-xr85-3x5q
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-345
CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
theforeman / hammer_cli	-	0.10.0
hammer_cli_foreman	-	0.10.0
redhat / satellite	6.3	6.3.x
redhat / satellite_capsule	6.3	6.3.x

http://projects.theforeman.org/issues/19033
http://www.securityfocus.com/bid/97153
https://access.redhat.com/errata/RHSA-2018:0336
https://bugzilla.redhat.com/show_bug.cgi?id=1436262
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hammer_cli_foreman/CVE-2017-2667.yml
https://web.archive.org/web/20200227181720/http://www.securityfocus.com/bid/97153

Vulnerability Database

CVE-2017-2667

Deep Security Visibility Without the Complexity