CVE-2014-3691

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Openstack	Redhat	4.0 (including)	4.0 (including)
Openstack	Redhat	5.0 (including)	5.0 (including)
OpenStack 4 for RHEL 6	RedHat	foreman-proxy-0:1.3.0-7.el6ost	*
OpenStack Foreman for RHEL 6	RedHat	foreman-proxy-0:1.6.0.33-2.el6ost	*
Red Hat Satellite 6.0	RedHat	foreman-0:1.6.0.51-1.el7sat	*
Red Hat Satellite 6.0	RedHat	foreman-proxy-0:1.6.0.33-1.el6sat	*
Red Hat Satellite 6.0	RedHat	katello-agent-0:1.5.3-7.el6sat	*
Red Hat Satellite 6.0	RedHat	katello-installer-0:0.0.67-1.el7sat	*
Red Hat Satellite 6.0	RedHat	pulp-0:2.4.4-1.el7sat	*
Red Hat Satellite 6.0	RedHat	pulp-nodes-0:2.4.4-1.el6sat	*
Red Hat Satellite 6.0	RedHat	pulp-puppet-0:2.4.4-1.el6sat	*
Red Hat Satellite 6.0	RedHat	pulp-rpm-0:2.4.4-1.1.el7sat	*
Red Hat Satellite 6.0	RedHat	ruby193-rubygem-fog-0:1.21.0-3.2.el6sat	*
Red Hat Satellite 6.0	RedHat	ruby193-rubygem-foreman-tasks-0:0.6.9-1.2.el7sat	*
Red Hat Satellite 6.0	RedHat	foreman-0:1.6.0.51-1.el7sat	*
Red Hat Satellite 6.0	RedHat	foreman-proxy-0:1.6.0.33-1.el6sat	*
Red Hat Satellite 6.0	RedHat	katello-agent-0:1.5.3-7.el6sat	*
Red Hat Satellite 6.0	RedHat	katello-installer-0:0.0.67-1.el7sat	*
Red Hat Satellite 6.0	RedHat	pulp-0:2.4.4-1.el7sat	*
Red Hat Satellite 6.0	RedHat	pulp-nodes-0:2.4.4-1.el6sat	*
Red Hat Satellite 6.0	RedHat	pulp-puppet-0:2.4.4-1.el6sat	*
Red Hat Satellite 6.0	RedHat	pulp-rpm-0:2.4.4-1.1.el7sat	*
Red Hat Satellite 6.0	RedHat	ruby193-rubygem-fog-0:1.21.0-3.2.el6sat	*
Red Hat Satellite 6.0	RedHat	ruby193-rubygem-foreman-tasks-0:0.6.9-1.2.el7sat	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3691
CWE	https://cwe.mitre.org/data/definitions/310.html

Affected Software

References