Homepage
About Snyk

Man-in-the-Middle (MitM) Affecting ovirt-engine-sdk package, versions [,3.3.0.3)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.07% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-OVIRTENGINESDK-40252
  • published 1 Aug 2017
  • disclosed 5 Mar 2016
  • credit Juan Hernandez
Report a new vulnerability Found a mistake?

Introduced: 5 Mar 2016

CVE-2014-0161 Open this link in a new tab
CWE-300 Open this link in a new tab

Overview

ovirt-engine-sdk is a SDK interface to oVirt Virtualization.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM).
It was reported that oVirt's Python SDK does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary yet valid certificate.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

5.9 medium