CVE-2021-3698 — Improper Certificate Validation in Cockpit

CWE-295 — Improper Certificate Validation7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Agentejo Cockpit Cockpit-project Cockpit Redhat Enterprise Linux

Timeline

PublishedMar 10

Latest updateMar 11

Description

A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDcockpit-project/cockpit< 260

▶Debianagentejo/cockpit< 260-1+2

▶CVEListV5agentejo/cockpitcockpit versions prior to 260

▶CVEListV5cockpit-project/cockpitcockpit versions prior to 260

Also affects: Enterprise Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-w9ph-5m4x-c49r: A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daem↗2022-03-11

▶

OSV

CVE-2021-3698: A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daem↗2022-03-10

▶

CVEList

CVE-2021-3698: A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daem↗2022-03-08

▶

📋Vendor Advisories

Microsoft

▶

Red Hat

cockpit: authenticates with revoked certificates↗2021-08-27

▶

Debian

CVE-2021-3698: cockpit - A flaw was found in Cockpit in versions prior to 260 in the way it handles the c...↗2021

▶