Main Vulnerability Database Vulnerabilities #VU93288

LDAP injection in PKI - CVE-2023-4727

Published: June 25, 2024

Vulnerability identifier: #VU93288

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-4727

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Dogtag

Affected software:
PKI

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote non-authenticated attacker can pass a query string parameter sessionID=*, and authenticate with an existing session saved in the LDAP directory server.

How to mitigate CVE-2023-4727

Install updates from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=2232218
https://github.com/dogtagpki/pki/commit/54e5b3c5932ad634b5ddf5b1d4d88c9419d6f720
https://github.com/dogtagpki/pki/commit/aa7161ba378caf5cf0471aafb679a842679c8388

LDAP injection in PKI - CVE-2023-4727

Detailed vulnerability description

How to mitigate CVE-2023-4727

Sources

Please verify you're human