CVE-2023-5455
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-5455
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-5455
- Related
- Published
- 2024-01-10T13:15:48Z
- Modified
- 2024-09-16T18:35:01.120291Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
- References
-
- https://access.redhat.com/errata/RHSA-2024:0137
- https://access.redhat.com/errata/RHSA-2024:0138
- https://access.redhat.com/errata/RHSA-2024:0139
- https://access.redhat.com/errata/RHSA-2024:0140
- https://access.redhat.com/errata/RHSA-2024:0141
- https://access.redhat.com/errata/RHSA-2024:0142
- https://access.redhat.com/errata/RHSA-2024:0143
- https://access.redhat.com/errata/RHSA-2024:0144
- https://access.redhat.com/errata/RHSA-2024:0145
- https://access.redhat.com/errata/RHSA-2024:0252
- https://bugzilla.redhat.com/show_bug.cgi?id=2242828
- https://access.redhat.com/security/cve/CVE-2023-5455
- https://www.freeipa.org/release-notes/4-10-3.html
- https://www.freeipa.org/release-notes/4-11-1.html
- https://www.freeipa.org/release-notes/4-6-10.html
- https://www.freeipa.org/release-notes/4-9-14.html
- https://security-tracker.debian.org/tracker/CVE-2023-5455
Affected packages
Debian:12 / freeipa
Package
- Name
- freeipa
- Purl
- pkg:deb/debian/freeipa?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Git / github.com/freeipa/freeipa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/freeipa/freeipa
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
alpha-1-9-0
alpha_1-4-2-0
alpha_1-4-4-0
alpha_2-1-9-0
alpha_3-1-9-0
alpha_4-1-9-0
alpha_5-1-9-0
alpha_5-1-9-0-1
beta_1-2-0-0
beta_1-3-0-0
beta_1-3-2-0
beta_1-3-3-0
beta_2-3-0-0
beta_2-3-3-0
milestone_2
milestone_3
milestone_4
milestone_4_1
milestone_6
rc_1-2-0-0
rc_2-2-0-0
rc_3-2-0-0
release-1-0-0
release-1-1-0
release-2-0-0
release-2-1-0
release-3-1-0
release-3-2-0
release-3-2-0-pre1
release-3-3-0
release-4-0-0
release-4-2-0
release-4-4-0
release-4-4-1
release-4-6-0
release-4-6-1
release-4-6-2
release-4-6-3
release-4-6-4
release-4-6-5
release-4-6-6
release-4-6-8
release-4-6-9