CVE-2023-5455

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-5455
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-5455
Downstream
Related
Published
2024-01-10T13:15:48.643Z
Modified
2026-02-05T09:19:37.337336Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

References

Affected packages

Git / github.com/freeipa/freeipa

Affected ranges

Type
GIT
Repo
https://github.com/freeipa/freeipa
Events
Introduced
082ec006f43883540eca48d8190c3d6bf83c9405
Fixed
74710a8ed24b4b8a14a07ca0642507d260039b30
Fixed
9c617675d6676fcdb0e9d67fed6bb801e0066bfe
Introduced
f84b3f39edb880183722f4814acc56ae1f8edba7
Fixed
deec13573d02c9e7eabd19201b7adb1e1eccd7e3

Affected versions

Other
release-4-10-0
release-4-10-1
release-4-10-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json"