CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
35.7%
A Cross-site request forgery vulnerability exists in
ipa/session/login_password in all supported versions of IPA. This flaw
allows an attacker to trick the user into submitting a request that could
perform actions as the user, resulting in a loss of confidentiality and
system integrity. During community penetration testing it was found that
for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to
implementation details one cannot use this flaw for reflection of a cookie
representing already logged-in user. An attacker would always have to go
through a new authentication attempt.
access.redhat.com/security/cve/CVE-2023-5455
bugzilla.redhat.com/show_bug.cgi?id=2242828
launchpad.net/bugs/cve/CVE-2023-5455
nvd.nist.gov/vuln/detail/CVE-2023-5455
security-tracker.debian.org/tracker/CVE-2023-5455
www.cve.org/CVERecord?id=CVE-2023-5455
www.freeipa.org/release-notes/4-10-3.html
www.freeipa.org/release-notes/4-11-1.html
www.freeipa.org/release-notes/4-6-10.html
www.freeipa.org/release-notes/4-9-14.html
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
35.7%