CVE-2017-7537DEPRECATED: Authentication Bypass Issues in PKI Pki-core

CWE-592DEPRECATED: Authentication Bypass IssuesCWE-798Hard-coded CredentialsCWE-287Improper Authentication9 documents8 sources
Severity
7.5HIGHNVD
CNA5.9
EPSS
0.1%
top 68.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
DogtagpkiDogtag PKI Pki-coreRedhat Enterprise Linux Desktop+2 more
Timeline
PublishedJul 26
Latest updateDec 10

Description

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5dogtag_pki/pki-core10.6.4
NVDdogtagpki/dogtagpki< 10.6.4

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
dogtag-pki vulnerabilities2024-12-10
GHSA
GHSA-x46g-cxp8-8wjm: It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 102022-05-13
OSV
CVE-2017-7537: It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 102018-07-26
CVEList
CVE-2017-7537: It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 102018-07-26

📋Vendor Advisories

3
Ubuntu
Dogtag PKI vulnerabilities2024-12-10
Red Hat
pki-core: mock CMC authentication plugin with hardcoded secret enabled by default2017-07-21
Debian
CVE-2017-7537: dogtag-pki - It was found that a mock CMC authentication plugin with a hardcoded secret was a...2017

💬Community

1
Bugzilla
CVE-2017-7537 pki-core: mock CMC authentication plugin with hardcoded secret enabled by default2017-07-13