CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
access.redhat.com/errata/RHSA-2024:0137
access.redhat.com/errata/RHSA-2024:0138
access.redhat.com/errata/RHSA-2024:0139
access.redhat.com/errata/RHSA-2024:0140
access.redhat.com/errata/RHSA-2024:0141
access.redhat.com/errata/RHSA-2024:0142
access.redhat.com/errata/RHSA-2024:0143
access.redhat.com/errata/RHSA-2024:0144
access.redhat.com/errata/RHSA-2024:0145
access.redhat.com/errata/RHSA-2024:0252
access.redhat.com/security/cve/CVE-2023-5455
bugzilla.redhat.com/show_bug.cgi?id=2242828
lists.fedoraproject.org/archives/list/[email protected]/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/
lists.fedoraproject.org/archives/list/[email protected]/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/
www.freeipa.org/release-notes/4-10-3.html
www.freeipa.org/release-notes/4-11-1.html
www.freeipa.org/release-notes/4-6-10.html
www.freeipa.org/release-notes/4-9-14.html
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%