6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
45.2%
In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not
enable python-requests certificate validation. Since the verify parameter
was hard-coded in all request functions, it was not possible to override
the setting. As a result, tools making use of this class, such as the
pki-server command, may have been vulnerable to Person-in-the-Middle
attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.
Author | Note |
---|---|
avital | The CVE fix changes the API with the potential to break software which calls dogtag-pki under certain circumstances. If the fix is backported, the freeipa package must also be updated silmitaniously with https://github.com/freeipa/freeipa/pull/4820. Additionally, other packages which use dogtag-pki must be investigated and updated if needed. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | dogtag-pki | < any | UNKNOWN |
ubuntu | 16.04 | noarch | dogtag-pki | < any | UNKNOWN |
bugzilla.redhat.com/show_bug.cgi?id=1855273
github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
github.com/dogtagpki/pki/compare/v10.9.0-a2...v10.9.0-b1
launchpad.net/bugs/cve/CVE-2020-15720
nvd.nist.gov/vuln/detail/CVE-2020-15720
security-tracker.debian.org/tracker/CVE-2020-15720
www.cve.org/CVERecord?id=CVE-2020-15720
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
45.2%