CVE-2017-2667 - SSL/HTTPS server certificates are not verified by default
|Assigned To:||Tomáš Strachota|
|Found in release:||Pull request:||https://github.com/theforeman/hammer-cli/pull/235, https://github.com/theforeman/hammer-cli-foreman/pull/293|
|Velocity based estimate||-|
HTTPS connections initiated by Hammer to the API server do not perform validation of the server SSL/TLS certificate, allowing for a man-in-the-middle attack against the user.
#12400 has introduced automatic certificate verification when an SSL CA is explicitly configured, but the default for HTTPS connections remains off. It could be verified against the system CA store.
Reported by Tomas Strachota to email@example.com.