Vulnerability Details : CVE-2012-3533
The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack.
Products affected by CVE-2012-3533
- cpe:2.3:a:ovirt:ovirt:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ovirt:ovirt-engine-cli:*:*:*:*:*:*:*:*
- cpe:2.3:a:ovirt-engine-sdk:3.1.0.5:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3533
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3533
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-3533
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3533
-
http://www.openwall.com/lists/oss-security/2012/08/24/6
oss-security - oVirt 3.1 does not validate server certificates in python sdk and cli (CVE-2012-3533)
-
https://bugzilla.redhat.com/show_bug.cgi?id=851672
851672 – (CVE-2012-3533) CVE-2012-3533 ovirt 3.1: does not validate server identity in new python SDK and CLI
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/77984
oVirt SSL spoofing CVE-2012-3533 Vulnerability Report
-
http://gerrit.ovirt.org/#/c/7209/
Change I5daf24ed: sdk: implement server identity check | gerrit.ovirt Code Review
-
http://www.openwall.com/lists/oss-security/2012/08/26/1
oss-security - Re: oVirt 3.1 does not validate server certificates in python sdk and cli (CVE-2012-3533)
-
http://www.securityfocus.com/bid/55208
oVirt SSL Certificate Validation Security Bypass Vulnerability
-
http://gerrit.ovirt.org/#/c/7249/
gerrit.ovirt Code Review
Jump to