{}

{}

{}

{"acknowledgement": "This issue was discovered by Evgeni Golov (Red Hat).", "bugzilla": {"description": "foreman-kubevirt: foreman_kubevirt: Man-in-the-Middle due to insecure default SSL verification", "id": "2433786", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433786"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that a Certificate Authority (CA) certificate is explicitly configured when setting up the connection to OpenShift in foreman_kubevirt. This will enable SSL verification and prevent Man-in-the-Middle attacks. Refer to the foreman_kubevirt documentation for specific instructions on configuring CA certificates. A restart or service reload may be required for the changes to take effect."}, "name": "CVE-2026-1531", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "rubygem-foreman_kubevirt", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "satellite:el8/rubygem-foreman_kubevirt", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-01-28T12:34:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1531\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1531"], "statement": "This is an IMPORTANT flaw in foreman_kubevirt where the default configuration for connecting to OpenShift disables SSL verification if a CA certificate is not explicitly provided. This insecure default allows a remote attacker to perform a Man-in-the-Middle attack by intercepting network traffic between Satellite and OpenShift, potentially leading to information disclosure or alteration.", "threat_severity": "Important"}

{}