CVE-2019-14823

Опубликовано: 14 окт. 2019

Источник: redhat

CVSS3: 6.8

EPSS Низкий

Описание

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Отчет

Red Hat Certificate System 9.4 and above use the vulnerable policy. Red Hat Enterprise Satellite 6 does not ship a vulnerable version of the JSS library.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	jss	Not affected
Red Hat Enterprise Linux 8	pki-core:10.6/jss	Not affected
Red Hat Satellite 6	candlepin	Not affected
Red Hat Enterprise Linux 7	jss	Fixed	RHSA-2019:3067	16.10.2019
Red Hat Enterprise Linux 7.6 Extended Update Support	jss	Fixed	RHSA-2019:3225	29.10.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-358

https://bugzilla.redhat.com/show_bug.cgi?id=1747435JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate

EPSS

Процентиль: 52%

0.00287

Низкий

6.8 Medium

CVSS3

Связанные уязвимости

CVE-2019-14823

CVSS3: 7.4

ubuntu

больше 6 лет назад

CVE-2019-14823

CVSS3: 7.4

nvd

больше 6 лет назад

CVE-2019-14823

CVSS3: 7.4

debian

больше 6 лет назад

A flaw was found in the "Leaf and Chain" OCSP policy implementation in ...

GHSA-45q2-f3rm-5r6v

CVSS3: 7.4

github

больше 3 лет назад

ELSA-2019-3067

oracle-oval

больше 6 лет назад

ELSA-2019-3067: jss security update (IMPORTANT)

EPSS

Процентиль: 52%

0.00287

Низкий

6.8 Medium

CVSS3