CVE-2016-5404

CWE-284Improper Access ControlCWE-28510 documents8 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 35.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fedoraproject FedoraOracle Linux
Timeline
PublishedSep 7
Latest updateMay 13

Description

The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary certificates by leveraging the "retrieve certificate" permission.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Debianfreeipa< 4.3.2-5+2
Ubuntufreeipa< 3.3.4-0ubuntu3.1+esm1+1
NVDoracle/linux6, 7+1

Also affects: Fedora 23, 24, 25

Patches

Patch: git.fedorahosted.orgPatch: git.fedorahosted.org

🔴Vulnerability Details

4
GHSA
GHSA-xxm7-22wp-69jx: The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary2022-05-13
OSV
freeipa vulnerabilities2021-03-15
OSV
CVE-2016-5404: The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary2016-09-07
CVEList
CVE-2016-5404: The cert_revoke command in FreeIPA does not check for the "revoke certificate" permission, which allows remote authenticated users to revoke arbitrary2016-09-07

📋Vendor Advisories

3
Ubuntu
FreeIPA vulnerabilities2021-03-15
Red Hat
ipa: Insufficient privileges check in certificate revocation2016-08-17
Debian
CVE-2016-5404: freeipa - The cert_revoke command in FreeIPA does not check for the "revoke certificate" p...2016

💬Community

2
Bugzilla
CVE-2016-5404 freeipa: ipa: Insufficient privileges check in certificate revocation [fedora-all]2016-08-17
Bugzilla
CVE-2016-5404 ipa: Insufficient privileges check in certificate revocation2016-06-30
CVE-2016-5404 (MEDIUM CVSS 6.5) | The cert_revoke command in FreeIPA | cvebase.io