6.5
CVE-2023-5455
- EPSS 0.57%
- Veröffentlicht 10.01.2024 13:15:48
- Zuletzt bearbeitet 18.03.2026 04:16:51
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Ipa: invalid csrf protection
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version38
Fedoraproject ≫ Fedora Version39
Fedoraproject ≫ Fedora Version40
Redhat ≫ Codeready Linux Builder Version-
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version8.0 HwPlatformarm64
Redhat ≫ Enterprise Linux Version8.4
Redhat ≫ Enterprise Linux Version9.0
Redhat ≫ Enterprise Linux Desktop Version7.0
Redhat ≫ Enterprise Linux Eus Version8.6
Redhat ≫ Enterprise Linux Eus Version8.6 HwPlatformarm64
Redhat ≫ Enterprise Linux Eus Version8.8
Redhat ≫ Enterprise Linux Eus Version9.0
Redhat ≫ Enterprise Linux Eus Version9.2
Redhat ≫ Enterprise Linux For Arm 64 Eus Version8.8
Redhat ≫ Enterprise Linux For Arm 64 Eus Version9.0
Redhat ≫ Enterprise Linux For Arm 64 Eus Version9.2
Redhat ≫ Enterprise Linux For Ibm Z Systems Version7.0
Redhat ≫ Enterprise Linux For Ibm Z Systems Version8.0
Redhat ≫ Enterprise Linux For Ibm Z Systems Version9.0
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.6
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.8
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version9.0
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version9.2
Redhat ≫ Enterprise Linux For Power Big Endian Version7.0
Redhat ≫ Enterprise Linux For Power Little Endian Version7.0
Redhat ≫ Enterprise Linux For Power Little Endian Version8.0
Redhat ≫ Enterprise Linux For Power Little Endian Version9.0
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.6
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.8
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version9.0
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version9.2
Redhat ≫ Enterprise Linux For Scientific Computing Version7.0
Redhat ≫ Enterprise Linux Server Version9.0 HwPlatformarm64
Redhat ≫ Enterprise Linux Server Version9.2 HwPlatformarm64
Redhat ≫ Enterprise Linux Server Aus Version8.2
Redhat ≫ Enterprise Linux Server Aus Version8.4
Redhat ≫ Enterprise Linux Server Aus Version8.6
Redhat ≫ Enterprise Linux Server Aus Version9.2
Redhat ≫ Enterprise Linux Server For Ibm Z Systems Version9.2
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.2
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.4
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.6
Redhat ≫ Enterprise Linux Server Tus Version8.2
Redhat ≫ Enterprise Linux Server Tus Version8.4
Redhat ≫ Enterprise Linux Server Tus Version8.6
Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version9.0
Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version9.2
Redhat ≫ Enterprise Linux Workstation Version7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.57% | 0.426 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| secalert@redhat.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
https://access.redhat.com/errata/RHSA-2024:0137
https://access.redhat.com/errata/RHSA-2024:0138
https://access.redhat.com/errata/RHSA-2024:0139
https://access.redhat.com/errata/RHSA-2024:0140
https://access.redhat.com/errata/RHSA-2024:0141
https://access.redhat.com/errata/RHSA-2024:0142
https://access.redhat.com/errata/RHSA-2024:0143
https://access.redhat.com/errata/RHSA-2024:0144
https://access.redhat.com/errata/RHSA-2024:0145
https://access.redhat.com/errata/RHSA-2024:0252
https://access.redhat.com/security/cve/CVE-2023-5455
https://bugzilla.redhat.com/show_bug.cgi?id=2242828
https://www.freeipa.org/release-notes/4-10-3.html
https://www.freeipa.org/release-notes/4-11-1.html
https://www.freeipa.org/release-notes/4-6-10.html
https://www.freeipa.org/release-notes/4-9-14.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/