GHSA SYNC: 2 brand new red hat advisories

jasnow · postmodern · commit 6ffc70029867 · 2026-02-03T16:26:01.000-08:00
diff --git a/gems/fog-kubevirt/CVE-2026-1530.yml b/gems/fog-kubevirt/CVE-2026-1530.yml
@@ -0,0 +1,29 @@
+---
+gem: fog-kubevirt
+cve: 2026-1530
+ghsa: m3hq-3qj8-c5fm
+url: https://access.redhat.com/security/cve/CVE-2026-1530
+title: fog-kubevirt allows remote attacker to perform MITM attack
+  due to disabled certificate validation
+date: 2026-02-02
+description: |
+  A flaw was found in fog-kubevirt. This vulnerability allows a remote
+  attacker to perform a Man-in-the-Middle (MITM) attack due to disabled
+  certificate validation. This enables the attacker to intercept and
+  potentially alter sensitive communications between Satellite and
+  OpenShift, resulting in information disclosure and data integrity
+  compromise.
+cvss_v3: 8.1
+patched_versions:
+  - ">= 1.5.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1530
+    - https://github.com/fog/fog-kubevirt/releases/tag/v1.5.1
+    - https://github.com/fog/fog-kubevirt/blob/8adb03e07972d6e19a7713ecf2a827aa2cfe4b9e/CHANGELOG.md?plain=1#L11
+    - https://github.com/fog/fog-kubevirt/pull/168
+    - https://github.com/fog/fog-kubevirt/commit/8371e9ded99f9ec3e74caf2f283836109763e450
+    - https://github.com/fog/fog-kubevirt/commit/9603d79a239a0f68bedfc679cd1b65fbf6ec4753
+    - https://access.redhat.com/security/cve/CVE-2026-1530
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2433784
+    - https://github.com/advisories/GHSA-m3hq-3qj8-c5fm
diff --git a/gems/foreman_kubevirt/CVE-2026-1531.yml b/gems/foreman_kubevirt/CVE-2026-1531.yml
@@ -0,0 +1,26 @@
+---
+gem: foreman_kubevirt
+cve: 2026-1531
+ghsa: 2qxw-7fmx-gqfm
+url: https://access.redhat.com/security/cve/CVE-2026-1531
+title: foreman_kubevirt disables SSL verification if a Certificate
+  Authority (CA) certificate is not explicitly set
+date: 2026-02-02
+description: |
+  A flaw was found in foreman_kubevirt. When configuring the connection
+  to OpenShift, the system disables SSL verification if a Certificate
+  Authority (CA) certificate is not explicitly set. This insecure
+  default allows a remote attacker, capable of intercepting network
+  traffic between Satellite and OpenShift, to perform a Man-in-the-Middle
+  (MITM) attack. Such an attack could lead to the disclosure or
+  alteration of sensitive information.
+cvss_v3: 8.1
+patched_versions:
+  - ">= 0.4.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1531
+    - https://github.com/theforeman/foreman_kubevirt/commit/6c9973ee59c6fbec65f165eb9ea9dd4ebb6eeef1
+    - https://access.redhat.com/security/cve/CVE-2026-1531
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2433786
+    - https://github.com/advisories/GHSA-2qxw-7fmx-gqfm
