CVE-2010-3868

CWE-287 — Improper Authentication5 documents5 sources

Severity

5.8MEDIUM

EPSS

0.3%

top 48.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Certificate System

Timeline

PublishedNov 17

Latest updateMay 17

Description

Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate System do not require authentication for requests to decrypt SCEP one-time PINs, which allows remote attackers to obtain PINs by sniffing the network for SCEP requests and then sending decryption requests to the Certificate Authority component.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDredhat/certificate_system7.3, 8+1

Patches

Patch: fedorahosted.org ↗Patch: fedorahosted.org ↗

🔴Vulnerability Details

GHSA

GHSA-hg35-p8x7-fw5f: Red Hat Certificate System (RHCS) 7↗2022-05-17

▶

CVEList

CVE-2010-3868: Red Hat Certificate System (RHCS) 7↗2010-11-17

▶

📋Vendor Advisories

Red Hat

System: unauthenticated user can request SCEP one-time PIN decryption↗2010-11-08

▶

💬Community

Bugzilla

CVE-2010-3868 Certificate System: unauthenticated user can request SCEP one-time PIN decryption↗2010-11-02

▶