Base Score

MEDIUM5.9

CVE-2014-0161

ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateJan 02, 2020, 18:15

Affected Versions(2)

ovirt-engine-sdk-python(PyPI)

Introduced0

Fixed3.4.0.7

LimitN/A

ovirt-engine-sdk-python(PyPI)

Introduced3.5.0.0

Fixed3.5.0.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
ovirt-engine-sdk-python(PyPI)	0	3.4.0.7	N/A
ovirt-engine-sdk-python(PyPI)	3.5.0.0	3.5.0.4	N/A

Weakness Type (CWE):CWE-295

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

MEDIUM5.9

Weakness Type (CWE):CWE-295

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE