CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:H/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
74.4%
The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack.
Vendor | Product | Version | CPE |
---|---|---|---|
redhat | enterprise_virtualization_manager | * | cpe:2.3:a:redhat:enterprise_virtualization_manager:*:*:*:*:*:*:*:* |
redhat | enterprise_virtualization_manager | 2.1 | cpe:2.3:a:redhat:enterprise_virtualization_manager:2.1:*:*:*:*:*:*:* |
redhat | enterprise_virtualization_manager | 2.2 | cpe:2.3:a:redhat:enterprise_virtualization_manager:2.2:*:*:*:*:*:*:* |
redhat | enterprise_virtualization_manager | 2.2.3 | cpe:2.3:a:redhat:enterprise_virtualization_manager:2.2.3:*:*:*:*:*:*:* |