Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-15720

Опубликовано: 23 июн. 2020
Источник: redhat
CVSS3: 6.8
EPSS Низкий

Описание

In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.

A flaw was found in PKI, where the dogtag's pki.client.PKIConnection class disables the python-requests certificate validation. This flaw allows an attacker to intercept a connection between a FreeIPA client and a server, and execute an active Man-in-the-Middle attack. The highest threat from this vulnerability is to confidentiality and integrity.

Отчет

In PKI, the pki.client.PKIConnection python class is used by the pki-server and pkispawn commands. pki-server runs locally on the server, thus not subject to a Person in the Middle attack. pkispawn may access remote node in decentralized or cloned contexts. Identity Management (IPA) command line interface (the vault related sub-commands) may call pki.client.PKIConnection().

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6pki-coreOut of support scope
Red Hat Enterprise Linux 7pki-coreWill not fix
Red Hat Enterprise Linux 8pki-coreFixedRHSA-2020:484704.11.2020
Red Hat Enterprise Linux 8pki-depsFixedRHSA-2020:484704.11.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=1855273pki: Dogtag's python client does not validate certificates

EPSS

Процентиль: 41%
0.00186
Низкий

6.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-15720

CVSS3: 6.8
ubuntu
почти 5 лет назад

In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.

nvd логотип

CVE-2020-15720

CVSS3: 6.8
nvd
почти 5 лет назад

In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.

debian логотип

CVE-2020-15720

CVSS3: 6.8
debian
почти 5 лет назад

In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did n ...

github логотип

GHSA-hpcm-hcj8-c96c

github
около 3 лет назад

In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.

oracle-oval логотип

ELSA-2020-4847

oracle-oval
больше 4 лет назад

ELSA-2020-4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (MODERATE)

EPSS

Процентиль: 41%
0.00186
Низкий

6.8 Medium

CVSS3