CVE-2017-11191

Опубликовано: 27 сент. 2017

Источник: redhat

CVSS3: 3.1

EPSS Низкий

Описание

FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern

Отчет

This security issue does not exist in IPA / FreeIPA. FreeIPA server correctly rejects the HTTP request for "user_unlock" method with 401 Unauthorized HTTP code when the attacker tries to reuse an older browser session. Therefore, we do not consider this report as a valid security concern. We have submitted a request to MITRE to reject this CVE ID.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	ipa	Not affected
Red Hat Enterprise Linux 7	ipa	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

https://bugzilla.redhat.com/show_bug.cgi?id=1475851ipa: Session reuse to unlock the locked user

EPSS

Процентиль: 22%

0.00072

Низкий

3.1 Low

CVSS3

Связанные уязвимости

CVE-2017-11191

CVSS3: 8.8

ubuntu

больше 8 лет назад

CVE-2017-11191

CVSS3: 8.8

nvd

больше 8 лет назад

CVE-2017-11191

CVSS3: 8.8

debian

больше 8 лет назад

FreeIPA 4.x with API version 2.213 allows a remote authenticated users ...

GHSA-h7qv-cfwh-6fxm

CVSS3: 8.8

github

больше 3 лет назад

** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern.

EPSS

Процентиль: 22%

0.00072

Низкий

3.1 Low

CVSS3