CVE Vulnerabilities

CVE-2012-0861

Published: Jan 04, 2013 | Modified: Feb 13, 2023
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:A/AC:H/Au:N/C:C/I:C/A:C
RedHat/V2
6.8 IMPORTANT
AV:A/AC:H/Au:N/C:C/I:C/A:C
RedHat/V3
Ubuntu

The vds_installer in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when adding a host, uses the -k curl parameter when downloading deployUtil.py and vds_bootstrap.py, which prevents SSL certificates from being validated and allows remote attackers to execute arbitrary Python code via a man-in-the-middle attack.

Affected Software

Name Vendor Start Version End Version
Enterprise_virtualization_manager Redhat * 3.0 (including)
Enterprise_virtualization_manager Redhat 2.1 (including) 2.1 (including)
Enterprise_virtualization_manager Redhat 2.2 (including) 2.2 (including)
Enterprise_virtualization_manager Redhat 2.2.3 (including) 2.2.3 (including)
RHEV 3.X Hypervisor and Agents for RHEL-6 RedHat vdsm-0:4.9.6-44.0.el6_3 *
RHEV 3.X Hypervisor and Agents for RHEL-6 RedHat rhev-hypervisor6-0:6.3-20121121.0.el6_3 *
RHEV Manager version 3.0 RedHat org.ovirt.engine-root-0:3.1.0-32 *

References