Описание
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
Отчет
This flaw is rated Moderate because the configuration setting that makes pki-core vulnerable - directory-based authentication - is disabled by default and the damage is somewhat limited to the domain where the ids are recognized (for example, in one corporation's realm). RHEL 8.7 was never affected as the fix rebased in RHEL 8.7 GA.
Меры по смягчению последствий
This flaw is not exposed if directory-based authentication is not enabled. It is not enabled by default.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Certificate System 10 | redhat-pki:10/pki-core | Affected | ||
| Red Hat Enterprise Linux 6 | pki-core | Out of support scope | ||
| Red Hat Enterprise Linux 8 | pki-core:10.6/pki-core | Affected | ||
| Red Hat Certificate System 9.7 | pki-core | Fixed | RHSA-2022:7077 | 24.10.2022 |
| Red Hat Enterprise Linux 7 | pki-core | Fixed | RHSA-2022:7086 | 24.10.2022 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | pki-core | Fixed | RHSA-2023:3394 | 31.05.2023 |
| Red Hat Enterprise Linux 9 | pki-core | Fixed | RHSA-2023:2293 | 09.05.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.6 High
CVSS3
Связанные уязвимости
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
A flaw was found in pki-core, which could allow a user to get a certif ...
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
ELSA-2023-2293: pki-core security, bug fix, and enhancement update (MODERATE)
EPSS
7.6 High
CVSS3