Main Vulnerability Database Vulnerabilities #VU93288

LDAP injection in PKI - CVE-2023-4727

Published: June 25, 2024

Vulnerability identifier: #VU93288

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-4727

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PKI

Software vendor:
Dogtag

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote non-authenticated attacker can pass a query string parameter sessionID=*, and authenticate with an existing session saved in the LDAP directory server.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=2232218
https://github.com/dogtagpki/pki/commit/54e5b3c5932ad634b5ddf5b1d4d88c9419d6f720
https://github.com/dogtagpki/pki/commit/aa7161ba378caf5cf0471aafb679a842679c8388

LDAP injection in PKI - CVE-2023-4727

Description

Remediation

External links

Please verify you're human