CVE-2023-5455

Source
https://cve.org/CVERecord?id=CVE-2023-5455
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-5455
Downstream
Related
Published
2024-01-10T12:33:00.336Z
Modified
2026-07-08T08:11:41.463012420Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Ipa: invalid csrf protection
Details

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/5xxx/CVE-2023-5455.json",
    "cna_assigner": "redhat",
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Git / github.com/freeipa/freeipa

Affected ranges

Type
GIT
Repo
https://github.com/freeipa/freeipa
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:freeipa:freeipa:4.11.0:-:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.6.10"
        },
        {
            "introduced": "4.7.0"
        },
        {
            "fixed": "4.9.14"
        },
        {
            "introduced": "4.10.0"
        },
        {
            "fixed": "4.10.3"
        },
        {
            "introduced": "4.11.0-NA"
        },
        {
            "last_affected": "4.11.0-NA"
        }
    ]
}

Affected versions

4.*
4.11.0-NA
Other
alpha-1-9-0
alpha_1-4-2-0
alpha_1-4-4-0
alpha_2-1-9-0
alpha_3-1-9-0
alpha_4-1-9-0
alpha_5-1-9-0
alpha_5-1-9-0-1
beta_1-2-0-0
beta_1-3-0-0
beta_1-3-2-0
beta_1-3-3-0
beta_2-3-0-0
beta_2-3-3-0
milestone_2
milestone_3
milestone_4
milestone_4_1
milestone_6
rc_1-2-0-0
rc_2-2-0-0
rc_3-2-0-0
rc_4-7-0-1
rc_4-7-0-2
rc_4-8-0-1
rc_4-9-0-1
rc_4-9-0-2
rc_4-9-0-3
release-1-0-0
release-1-1-0
release-2-0-0
release-2-1-0
release-3-1-0
release-3-2-0
release-3-2-0-pre1
release-3-3-0
release-4-0-0
release-4-10-0
release-4-10-1
release-4-10-2
release-4-2-0
release-4-4-0
release-4-4-1
release-4-6-0
release-4-6-1
release-4-6-2
release-4-6-3
release-4-6-4
release-4-6-5
release-4-6-6
release-4-6-8
release-4-6-9
release-4-8-0
release-4-9-0
release-4-9-1
release-4-9-10
release-4-9-11
release-4-9-12
release-4-9-13
release-4-9-2
release-4-9-3
release-4-9-4
release-4-9-5
release-4-9-6
release-4-9-7
release-4-9-8
release-4-9-9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json"