CVE-2017-2667 - SSL/HTTPS server certificates are not verified by default
|Triaged:||Fixed in Releases:|
|Bugzilla link:||Found in Releases:|
|Pull request:||https://github.com/theforeman/hammer-cli/pull/235, https://github.com/theforeman/hammer-cli-foreman/pull/293|
HTTPS connections initiated by Hammer to the API server do not perform validation of the server SSL/TLS certificate, allowing for a man-in-the-middle attack against the user.
#12400 has introduced automatic certificate verification when an SSL CA is explicitly configured, but the default for HTTPS connections remains off. It could be verified against the system CA store.
Reported by Tomas Strachota to firstname.lastname@example.org.