CVE-2022-2393Improper Authorization in Project Pki-core

CWE-285Improper AuthorizationCWE-287Improper Authentication7 documents6 sources
Severity
5.7MEDIUMNVD
EPSS
0.1%
top 83.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pki-core Project Pki-coreRedhat Certificate SystemRedhat Enterprise Linux
Timeline
PublishedJul 14
Latest updateFeb 26

Description

A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages3 packages

CVEListV5pki-core_project/pki-corepki-core versions 10.12.4 and prior are affected.
NVDredhat/certificate_system10.0, 9.0+1

Also affects: Enterprise Linux 6.0, 7.0, 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-hjh3-jq28-5qcc: A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled2022-07-15
OSV
CVE-2022-2393: A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled2022-07-14
CVEList
CVE-2022-2393: A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled2022-07-14

📋Vendor Advisories

3
Red Hat
kernel: sfc: fix considering that all channels have TX queues2025-02-26
Red Hat
pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field2022-07-12
Debian
CVE-2022-2393: dogtag-pki - A flaw was found in pki-core, which could allow a user to get a certificate for ...2022
CVE-2022-2393 — Improper Authorization | cvebase