6.5

CVE-2016-9575

Ipa versions 4.2.x, 4.3.x before 4.3.3 and 4.4.x before 4.4.3 did not properly check the user's permissions while modifying certificate profiles in IdM's certprofile-mod command. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently use such certificates for other attacks.

Data is provided by the National Vulnerability Database (NVD)
FreeipaFreeipa Version4.2.0
FreeipaFreeipa Version4.2.0 Updatealpha1
FreeipaFreeipa Version4.2.1
FreeipaFreeipa Version4.2.2
FreeipaFreeipa Version4.2.3
FreeipaFreeipa Version4.2.4
FreeipaFreeipa Version4.3.0
FreeipaFreeipa Version4.3.1
FreeipaFreeipa Version4.3.2
FreeipaFreeipa Version4.4.0
FreeipaFreeipa Version4.4.1
FreeipaFreeipa Version4.4.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.27% 0.503
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.3 2.8 3.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

http://www.securityfocus.com/bid/95068
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1395311
Third Party Advisory
Issue Tracking