CVE-2023-5455

EPSS 0.37%
Published 10.01.2024 13:15:48
Last modified 21.11.2024 08:41:47
Source secalert@redhat.com
Teams watchlist Login
Open Login

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Affected products Warnungen 0 Metrics 3 CWE 1 References 21

Data is provided by the National Vulnerability Database (NVD)

Freeipa ≫ Freeipa Version < 4.6.10

Freeipa ≫ Freeipa Version >= 4.7.0 < 4.9.14

Freeipa ≫ Freeipa Version >= 4.10.0 < 4.10.3

Freeipa ≫ Freeipa Version4.11.0 Update-

Freeipa ≫ Freeipa Version4.11.0 Updatebeta1

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Fedoraproject ≫ Fedora Version40

Redhat ≫ Codeready Linux Builder Version-

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Version8.0 HwPlatformarm64

Redhat ≫ Enterprise Linux Version8.4

Redhat ≫ Enterprise Linux Version9.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Eus Version8.6

Redhat ≫ Enterprise Linux Eus Version8.6 HwPlatformarm64

Redhat ≫ Enterprise Linux Eus Version8.8

Redhat ≫ Enterprise Linux Eus Version9.0

Redhat ≫ Enterprise Linux Eus Version9.2

Redhat ≫ Enterprise Linux For Arm 64 Eus Version8.8

Redhat ≫ Enterprise Linux For Arm 64 Eus Version9.0

Redhat ≫ Enterprise Linux For Arm 64 Eus Version9.2

Redhat ≫ Enterprise Linux For Ibm Z Systems Version7.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Version8.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Version9.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.6

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version8.8

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version9.0

Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version9.2

Redhat ≫ Enterprise Linux For Power Big Endian Version7.0

Redhat ≫ Enterprise Linux For Power Little Endian Version7.0

Redhat ≫ Enterprise Linux For Power Little Endian Version8.0

Redhat ≫ Enterprise Linux For Power Little Endian Version9.0

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.6

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version8.8

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version9.0

Redhat ≫ Enterprise Linux For Power Little Endian Eus Version9.2

Redhat ≫ Enterprise Linux For Scientific Computing Version7.0

Redhat ≫ Enterprise Linux Server Version9.0 HwPlatformarm64

Redhat ≫ Enterprise Linux Server Version9.2 HwPlatformarm64

Redhat ≫ Enterprise Linux Server Aus Version8.2

Redhat ≫ Enterprise Linux Server Aus Version8.4

Redhat ≫ Enterprise Linux Server Aus Version8.6

Redhat ≫ Enterprise Linux Server Aus Version9.2

Redhat ≫ Enterprise Linux Server For Ibm Z Systems Version9.2

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.4

Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version8.6

Redhat ≫ Enterprise Linux Server Tus Version8.2

Redhat ≫ Enterprise Linux Server Tus Version8.4

Redhat ≫ Enterprise Linux Server Tus Version8.6

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.2

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version8.6

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version9.0

Redhat ≫ Enterprise Linux Server Update Services For Sap Solutions Version9.2

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version9.0

Redhat ≫ Enterprise Linux Update Services For Sap Solutions Version9.2

Redhat ≫ Enterprise Linux Workstation Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.37%	0.579

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
secalert@redhat.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://access.redhat.com/errata/RHSA-2024:0137

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:0138

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:0139

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:0140

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:0141

Third Party Advisory

https://access.redhat.com/errata/RHSA-2024:0142

Third Party Advisory