CVE-2008-5082 — Improper Authentication in Redhat Certificate System

CWE-287 — Improper Authentication5 documents5 sources

Severity

6.0MEDIUMNVD

EPSS

0.2%

top 58.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Certificate System Redhat Dogtag Certificate System

Timeline

PublishedJan 30

Latest updateMay 17

Description

The verifyProof function in the Token Processing System (TPS) component in Red Hat Certificate System (RHCS) 7.1 through 7.3 and Dogtag Certificate System 1.0 returns successfully even when token enrollment did not use the hardware key, which allows remote authenticated users with enrollment privileges to bypass intended authentication policies by performing enrollment with a software key.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages2 packages

▶NVDredhat/dogtag_certificate_system1.0

▶NVDredhat/certificate_system7.1, 7.2, 7.3+2

🔴Vulnerability Details

GHSA

GHSA-j872-hj4c-mqf5: The verifyProof function in the Token Processing System (TPS) component in Red Hat Certificate System (RHCS) 7↗2022-05-17

▶

CVEList

CVE-2008-5082: The verifyProof function in the Token Processing System (TPS) component in Red Hat Certificate System (RHCS) 7↗2009-01-30

▶

📋Vendor Advisories

Red Hat

System: missing public key challenge proof verification in the TPS component↗2009-01-29

▶

💬Community

Bugzilla

CVE-2008-5082 Certificate System: missing public key challenge proof verification in the TPS component↗2008-12-11

▶