PYSEC-2020-245

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/ovirt-engine-sdk-python/PYSEC-2020-245.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-245

Aliases

CVE-2014-0161
GHSA-wf9j-m9fv-92gq

Published

2020-01-02T18:15:00Z

Modified

2026-06-10T17:02:27.888916449Z

Summary

[none]

Details

ovirt-engine-sdk-python before 3.4.0.7 and 3.5.0.4 does not verify that the hostname of the remote endpoint matches the Common Name (CN) or subjectAltName as specified by its x.509 certificate in a TLS/SSL session. This could allow man-in-the-middle attackers to spoof remote endpoints via an arbitrary valid certificate.

References

Affected packages

PyPI / ovirt-engine-sdk-python

Package

Name: ovirt-engine-sdk-python; View open source insights on deps.dev
Purl: pkg:pypi/ovirt-engine-sdk-python

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0.7

Introduced

3.5.0.0

Fixed

3.5.0.4

Affected versions

3.*

3.3.0.3-1

3.3.0.6-1

3.3.0.7-1

3.3.0.8-1

3.3.5.0

3.4.0.1-1

3.4.0.2

3.4.0.6

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/ovirt-engine-sdk-python/PYSEC-2020-245.yaml"