CVE-2023-5455

CWE-352 — Cross-Site Request Forgery (CSRF)6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 46.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freeipa Freeipa Fedoraproject Fedora Redhat Enterprise Linux +17 more

Timeline

PublishedJan 10

Description

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie repres…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶NVDfreeipa/freeipa4.7.0 — 4.9.14+3

▶Debianfreeipa< 4.11.1-1+1

▶NVDredhat/enterprise_linux_server9.0, 9.2+1

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Fedora 38, 39, 40, Enterprise Linux 7.0, 8.0, 8.4, 9.0, 8.6, 8.8, 9.2, 8.2

🔴Vulnerability Details

OSV

CVE-2023-5455: A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA↗2024-01-10

▶

CVEList

Ipa: invalid csrf protection↗2024-01-10

▶

GHSA

GHSA-45hh-rj6v-548f: A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA↗2024-01-10

▶

📋Vendor Advisories

Red Hat

ipa: Invalid CSRF protection↗2024-01-10

▶

Debian

CVE-2023-5455: freeipa - A Cross-site request forgery vulnerability exists in ipa/session/login_password ...↗2023

▶