Authentication Bypass by Primary Weakness Affecting idm-pki-est package, versions <0:11.5.0-2.el9_4


Severity

Recommended
high

Based on Rocky Linux security rating.

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ROCKY9-IDMPKIEST-7419621
  • published4 Jul 2024
  • disclosed11 Jun 2024

Introduced: 11 Jun 2024

CVE-2023-4727  (opens in a new tab)
CWE-305  (opens in a new tab)

How to fix?

Upgrade Rocky-Linux:9 idm-pki-est to version 0:11.5.0-2.el9_4 or higher.
This issue was patched in RLSA-2024:4165.

NVD Description

Note: Versions mentioned in the description apply only to the upstream idm-pki-est package and not the idm-pki-est package as distributed by Rocky-Linux. See How to fix? for Rocky-Linux:9 relevant fixed versions and status.

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

CVSS Scores

version 3.1