QSearchQSearch

CVE-2021-3494

5.9 MEDIUM

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Midd...

Published: 2021-04-26 · Last updated: 2026-06-17

Severity and scoring

CVSS
5.9 MEDIUM
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-319

Affected products

VendorProduct
theforemanforeman

Description

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-3469 Foreman versions before 2.3.4 and before 2.4.0 is affected by an improper authorization handling flaw (5.4 MEDIUM)
  • CVE-2021-3457 An improper authorization handling flaw was found in Foreman (6.1 MEDIUM)
  • CVE-2021-3413 A flaw was found in Red Hat Satellite in tfm-rubygem-foreman_azure_rm in versions before 2.2.0 (6.3 MEDIUM)

Same CWE

  • CVE-2026-9741 A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)
  • CVE-2026-45432 This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management...
  • CVE-2026-8874 Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted ... (7.1 HIGH)
  • CVE-2026-36610 Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding (5.9 MEDIUM)
  • CVE-2026-7666 An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)