CVE-2015-5263

moderate-risk
Published 2017-09-25

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

Do I need to act?

-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (13)

Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp
Pulp

Affected Vendors

Pulpproject

References (8)

Third Party Advisory http://cve.killedkenny.io/cve/CVE-2015-5263
Mailing List http://www.openwall.com/lists/oss-security/2015/09/24/4
Third Party Advisory https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/clien...
Patch https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#dif...
Third Party Advisory http://cve.killedkenny.io/cve/CVE-2015-5263
Mailing List http://www.openwall.com/lists/oss-security/2015/09/24/4
Third Party Advisory https://github.com/pulp/pulp/blob/aa432bf58497b5e3682333b1d5f5ae4f45788a61/clien...
Patch https://github.com/pulp/pulp/commit/b542d7465f7e6e02e1ea1aec059ac607a65cefe7#dif...
42
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 1/34 · Minimal
Exposure 17/34 · Moderate