Lucene search

K

MITRECVE-2023-5455

HistoryJan 10, 2024 - 12:33 p.m.

CVE-2023-5455

2024-01-1012:33:00

MITRE

web.nvd.nist.gov

133

ipa

cross-site request forgery

csrf

vulnerability

security

nvd

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

35.1%

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

References

access.redhat.com/errata/RHSA-2024:0137

access.redhat.com/errata/RHSA-2024:0138

access.redhat.com/errata/RHSA-2024:0139

access.redhat.com/errata/RHSA-2024:0140

access.redhat.com/errata/RHSA-2024:0141

access.redhat.com/errata/RHSA-2024:0142

access.redhat.com/errata/RHSA-2024:0143

access.redhat.com/errata/RHSA-2024:0144

access.redhat.com/errata/RHSA-2024:0145

access.redhat.com/errata/RHSA-2024:0252

access.redhat.com/security/cve/CVE-2023-5455

bugzilla.redhat.com/show_bug.cgi?id=2242828

lists.fedoraproject.org/archives/list/[email protected]/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/

lists.fedoraproject.org/archives/list/[email protected]/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/

www.freeipa.org/release-notes/4-10-3.html

www.freeipa.org/release-notes/4-11-1.html

www.freeipa.org/release-notes/4-6-10.html

www.freeipa.org/release-notes/4-9-14.html

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

35.1%

Related for CVE-2023-5455

nessus23 redhat14 openvas3 osv4 amazon1 redhatcve1 prion1 debiancve1 oraclelinux3 almalinux2 redos1 ubuntucve1 fedora2 centos1 rocky1