Upstream information

CVE-2023-4727 at MITRE

Description

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 7 LTSS
  • pki-base >= 10.5.18-32.el7_9
  • pki-base-java >= 10.5.18-32.el7_9
  • pki-ca >= 10.5.18-32.el7_9
  • pki-javadoc >= 10.5.18-32.el7_9
  • pki-kra >= 10.5.18-32.el7_9
  • pki-server >= 10.5.18-32.el7_9
  • pki-symkey >= 10.5.18-32.el7_9
  • pki-tools >= 10.5.18-32.el7_9
 Patchnames:
RHSA-2024:4222
SUSE Liberty Linux 9
  • idm-pki-acme >= 11.5.0-2.el9_4
  • idm-pki-base >= 11.5.0-2.el9_4
  • idm-pki-ca >= 11.5.0-2.el9_4
  • idm-pki-est >= 11.5.0-2.el9_4
  • idm-pki-java >= 11.5.0-2.el9_4
  • idm-pki-kra >= 11.5.0-2.el9_4
  • idm-pki-server >= 11.5.0-2.el9_4
  • idm-pki-tools >= 11.5.0-2.el9_4
  • python3-idm-pki >= 11.5.0-2.el9_4
 Patchnames:
RHSA-2024:4165

SUSE Timeline for this CVE

CVE page created: Tue Jun 11 18:00:18 2024
CVE page last modified: Thu Sep 26 13:42:23 2024