16 matches found
CVE-2025-3026
CVE-2025-3026 affects the EJBCA service, specifically version 8.0 Enterprise (not tested in higher versions). The issue arises from modifying the HTTP Host header, which lets an attacker manipulate generated links and redirect clients to a user-controlled base URL, potentially causing the client ...
CVE-2021-40089
PrimeKey EJBCA up to version 7.6.0 is affected by a logic flaw in the General Purpose Custom Publisher. The publisher, which is intended to invoke a local script during publishing, could still execute when the System Configuration setting Enable External Script Access is disabled. This means that...
CVE-2025-3027
Concrete details show an open redirect in EJBCA 8.0 Enterprise due to a PATH/URL modification that causes the server to redirect to an external page, enabling potential phishing. Affected component: EJBCA service; vulnerability type: open redirect; impact: misdirection to malicious sites. Exploit...
CVE-2021-40088
PrimeKey EJBCA CMP RA Mode (versions prior to 7.6.0) can be configured to authenticate enrollments with a known client certificate, and the same certificate is used for revocation requests. The multi-tenancy access check applied during enrollment is not performed during revocation authentication,...
CVE-2021-40087
PrimeKey EJBCA before version 7.6.0 is affected by an issue where modifications to enrollment-secret alias configurations for protocols SCEP, CMP, and EST are logged in cleartext in the audit log (administrator-accessible). The vulnerability arises from audit logging changes to alias configuratio...
CVE-2022-40711
PrimeKey EJBCA 7.9.0.2 Community is affected by CVE-2022-40711, a stored XSS in the End Entity section. A user with the RA Administrator role can inject an XSS payload targeting higher-privilege users. Public remediations/patch version not specified in the provided sources. Exploitation details a...
CVE-2021-40086
PrimeKey EJBCA before 7.6.0 exposes the enrollment secret for SCEP, CMP, EST, and Auto-enrollment on an administrator-viewable page; the secret is recoverable via page source inspection. Affected: versions prior to 7.6.0. Impact: potential leakage of enrollment configuration secrets. Root cause: ...
CVE-2020-11629
EJBCA before 6.15.2.6 and 7.x before 7.3.1.2 is affected by a vulnerability in the External Command Certificate Validator . The validator allows uploading external linters to validate certificates, and is described as saving uploaded test certificates to the server. An attacker who gains access t...
CVE-2020-28942
Summary: PrimeKey EJBCA versions prior to 7.4.3 allow enrollment with EST proxied through an RA over the Peers protocol to bypass the allowed-CA restriction for RAs. An attacker with a valid trusted client certificate and enrollment authorization can use any functioning authenticated RA connected...
CVE-2020-11631
CVE-2020-11631 affects PrimeKey/EBJCA: pre-6.15.2.6 and pre-7.3.1.2 releases. A malicious user can trigger an error state in the CA UI, which enables exploitation of other bugs and can lead to privilege escalation and remote code execution . Exploitation is possible only if at least one accessibl...
CVE-2022-34831
Keyfactor PrimeKey EJBCA (before 7.9.0) is vulnerable to an ACME-related issue where, after DNS identifiers are validated in the ACME challenge, a non‑compliant client can add extra dnsNames in the CSR at finalize, causing EJBCA to issue a certificate containing unvalidated identifiers. This bypa...
CVE-2020-11628
Affected product: EJBCA (prior to 6.15.2.6 and 7.x prior to 7.3.1.2). Vulnerability: Restrictions intended to limit available remote protocols (CMP, ACME, REST, etc.) can be bypassed by altering the URI string sent by a client. EJBCA’s internal access control remains in place, and each protocol m...
CVE-2020-11630
The CVE-2020-11630 issue affects EJBCA: versions before 6.15.2.6 and 7.x before 7.3.1.2. The root cause is improper verification during deserialization of serialized objects exchanged between nodes over the Peers protocol, allowing insecure objects to be deserialized. This addresses a high-severi...
CVE-2020-11627
CVE-2020-11627 affects EJBCA prior to 6.15.2.6 and 7.x prior to 7.3.1.2, with a CSRF issue in the CA UI. The connected documents confirm the vulnerability description but do not provide exploitation details or remediation steps. Practical impact is a CSRF-based vulnerability in the CA management ...
CVE-2020-25276
PrimeKey EJBCA 6.x and 7.x prior to 7.4.1 is affected. When enrolling via EST using a client certificate, revocation checks are not performed on that certificate, only impacting systems with EST configured and where the revoked certificate is in a role authorized to enroll new end entities. Remed...
CVE-2020-11626
Two Cross Site Scripting (XSS) vulnerabilities affect EJBCA in the Public Web and the Certificate/CRL download servlets, affecting versions before 6.15.2.6 and 7.x before 7.3.1.2. The issue is caused by XSS flaws in these servlet components. Publicly disclosed details are limited to the existence...