CVE-2009-3552
low-risk
Published 2019-11-09
In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not verified when using the client-side Red Hat Enterprise Virtualization Manager interface (a Windows Presentation Foundation (WPF) XAML browser application) to connect to the Red Hat Enterprise Virtualization Manager. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, tricking the user into thinking they are viewing the Red Hat Enterprise Virtualization Manager when the content is actually attacker-controlled, or modifying actions a user requested Red Hat Enterprise Virtualization Manager to perform.
Do I need to act?
-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
ADJACENT_NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://access.redhat.com/security/cve/cve-2009-3552
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3552
Third Party Advisory
https://www.securityfocus.com/bid/42639
Third Party Advisory
https://access.redhat.com/security/cve/cve-2009-3552
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3552
Third Party Advisory
https://www.securityfocus.com/bid/42639
14
/ 100
low-risk
Severity
8/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal