Insufficient Verification of Data Authenticity

CVE-2015-3908

Medium

4.3/10

Summary

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Access Complexity: MEDIUM
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

Advisory
Advisory
Release Note
Disclosure

Advisory Timeline

Published Aug 12, 2015

Insufficient Verification of Data Authenticity

CVE-2015-3908

Summary

CWE-345 - Insufficient Verification of Data Authenticity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS