5.4

CVE-2021-40088

EPSS 0.13%
Veröffentlicht 25.08.2021 02:15:08
Zuletzt bearbeitet 21.11.2024 06:23:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Primekey ≫ Ejbca SwEditionenterprise Version < 7.6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.289

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
nvd@nist.gov	4.9	6.8	4.9	AV:N/AC:M/Au:S/C:N/I:P/A:P

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://support.primekey.com/news/posts/51

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-40088

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-40088

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-40088

EUVD