CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Vendor | Product | Version | CPE |
---|---|---|---|
freeipa | freeipa | * | cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:* |
freeipa | freeipa | 4.11.0 | cpe:2.3:a:freeipa:freeipa:4.11.0:-:*:*:*:*:*:* |
freeipa | freeipa | 4.11.0 | cpe:2.3:a:freeipa:freeipa:4.11.0:beta1:*:*:*:*:*:* |
fedoraproject | fedora | 38 | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
fedoraproject | fedora | 39 | cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
fedoraproject | fedora | 40 | cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
redhat | codeready_linux_builder | - | cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:* |
redhat | enterprise_linux | 7.0 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* |
redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:arm64:* |
access.redhat.com/errata/RHSA-2024:0137
access.redhat.com/errata/RHSA-2024:0138
access.redhat.com/errata/RHSA-2024:0139
access.redhat.com/errata/RHSA-2024:0140
access.redhat.com/errata/RHSA-2024:0141
access.redhat.com/errata/RHSA-2024:0142
access.redhat.com/errata/RHSA-2024:0143
access.redhat.com/errata/RHSA-2024:0144
access.redhat.com/errata/RHSA-2024:0145
access.redhat.com/errata/RHSA-2024:0252
access.redhat.com/security/cve/CVE-2023-5455
bugzilla.redhat.com/show_bug.cgi?id=2242828
www.freeipa.org/release-notes/4-10-3.html
www.freeipa.org/release-notes/4-11-1.html
www.freeipa.org/release-notes/4-6-10.html
www.freeipa.org/release-notes/4-9-14.html
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
35.7%