Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amazonAmazonALAS-2024-2586
HistoryJul 03, 2024 - 8:05 p.m.

Important: pki-core

2024-07-0320:05:00
alas.aws.amazon.com
4
pki-core
authentication scheme
ldap injection
privilege escalation
cve-2023-4727
amazon linux 2

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

JSON

Issue Overview:

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege. (CVE-2023-4727)

Affected Packages:

pki-core

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update pki-core to update your system.

New Packages:

aarch64:  
    pki-symkey-10.5.18-27.amzn2.0.2.aarch64  
    pki-tools-10.5.18-27.amzn2.0.2.aarch64  
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.aarch64  
  
i686:  
    pki-symkey-10.5.18-27.amzn2.0.2.i686  
    pki-tools-10.5.18-27.amzn2.0.2.i686  
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.i686  
  
noarch:  
    pki-base-10.5.18-27.amzn2.0.2.noarch  
    pki-base-java-10.5.18-27.amzn2.0.2.noarch  
    pki-server-10.5.18-27.amzn2.0.2.noarch  
    pki-ca-10.5.18-27.amzn2.0.2.noarch  
    pki-kra-10.5.18-27.amzn2.0.2.noarch  
    pki-javadoc-10.5.18-27.amzn2.0.2.noarch  
  
src:  
    pki-core-10.5.18-27.amzn2.0.2.src  
  
x86_64:  
    pki-symkey-10.5.18-27.amzn2.0.2.x86_64  
    pki-tools-10.5.18-27.amzn2.0.2.x86_64  
    pki-core-debuginfo-10.5.18-27.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2023-4727

Mitre: CVE-2023-4727

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64pki-symkey< 10.5.18-27.amzn2.0.2pki-symkey-10.5.18-27.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64pki-tools< 10.5.18-27.amzn2.0.2pki-tools-10.5.18-27.amzn2.0.2.aarch64.rpm
Amazon Linux2aarch64pki-core-debuginfo< 10.5.18-27.amzn2.0.2pki-core-debuginfo-10.5.18-27.amzn2.0.2.aarch64.rpm
Amazon Linux2i686pki-symkey< 10.5.18-27.amzn2.0.2pki-symkey-10.5.18-27.amzn2.0.2.i686.rpm
Amazon Linux2i686pki-tools< 10.5.18-27.amzn2.0.2pki-tools-10.5.18-27.amzn2.0.2.i686.rpm
Amazon Linux2i686pki-core-debuginfo< 10.5.18-27.amzn2.0.2pki-core-debuginfo-10.5.18-27.amzn2.0.2.i686.rpm
Amazon Linux2noarchpki-base< 10.5.18-27.amzn2.0.2pki-base-10.5.18-27.amzn2.0.2.noarch.rpm
Amazon Linux2noarchpki-base-java< 10.5.18-27.amzn2.0.2pki-base-java-10.5.18-27.amzn2.0.2.noarch.rpm
Amazon Linux2noarchpki-server< 10.5.18-27.amzn2.0.2pki-server-10.5.18-27.amzn2.0.2.noarch.rpm
Amazon Linux2noarchpki-ca< 10.5.18-27.amzn2.0.2pki-ca-10.5.18-27.amzn2.0.2.noarch.rpm
Rows per page:
1-10 of 151

Related

almalinux 2
osv 4
nessus 16
redhat 9
ubuntucve 1
debiancve 1
oraclelinux 3
cve 1
rocky 1
vulnrichment 1
nvd 1
redhatcve 1
cvelist 1
almalinux
almalinux
Important: pki-core security update
2024-07-08 00:00:00
Important: pki-core security update
2024-06-27 00:00:00
osv
osv
Important: pki-core security update
2024-06-27 00:00:00
Important: pki-core security update
2024-07-08 00:00:00
Important: pki-core security update
2024-07-03 21:27:28
nessus
nessus
Oracle Linux 7 : pki-core (ELSA-2024-4222)
2024-07-02 00:00:00
RHEL 9 : pki-core (RHSA-2024:4165)
2024-06-27 00:00:00
RHEL 8 : pki-core (RHSA-2024:4179)
2024-07-01 00:00:00
redhat
redhat
(RHSA-2024:4179) Important: pki-core security update
2024-07-01 00:58:06
(RHSA-2024:4165) Important: pki-core security update
2024-06-27 13:48:52
(RHSA-2024:4070) Important: Red Hat Certificate System 10.4 for RHEL 8 security and bug fix update
2024-06-24 15:46:32
ubuntucve
ubuntucve
CVE-2023-4727
2024-06-11 00:00:00
debiancve
debiancve
CVE-2023-4727
2024-06-11 20:15:09
oraclelinux
oraclelinux
pki-core security update
2024-06-27 00:00:00
pki-core security update
2024-07-02 00:00:00
pki-core security update
2024-07-10 00:00:00
cve
cve
CVE-2023-4727
2024-06-11 20:15:09
rocky
rocky
pki-core security update
2024-07-03 21:27:28
vulnrichment
vulnrichment
CVE-2023-4727 Ca: token authentication bypass vulnerability
2024-06-11 19:30:25
nvd
nvd
CVE-2023-4727
2024-06-11 20:15:09
redhatcve
redhatcve
CVE-2023-4727
2024-06-11 19:24:16
cvelist
cvelist
CVE-2023-4727 Ca: token authentication bypass vulnerability
2024-06-11 19:30:25

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

JSON
Related for ALAS-2024-2586
almalinux2osv4nessus16redhat9ubuntucve1debiancve1oraclelinux3cve1rocky1vulnrichment1nvd1redhatcve1cvelist1