PT-2020-7591 · Ovirt · Ovirt-Engine-Sdk-Python

Published

2020-01-02

Updated

2022-05-17

CVE-2014-0161

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions ovirt-engine-sdk-python versions prior to 3.4.0.7 ovirt-engine-sdk-python versions prior to 3.5.0.4

Description The issue arises from the failure to verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.

Recommendations For versions prior to 3.4.0.7, update to version 3.4.0.7 or later. For versions prior to 3.5.0.4, update to version 3.5.0.4 or later.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2014-0161

GHSA-WF9J-M9FV-92GQ

PYSEC-2020-245

Affected Products

Ovirt-Engine-Sdk-Python

PT-2020-7591 · Ovirt · Ovirt-Engine-Sdk-Python

CVE-2014-0161

Weakness Enumeration

Related Identifiers

Affected Products

References · 8