CVE-2023-4727

NameCVE-2023-4727
DescriptionA flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1082868

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dogtag-pki (PTS)bullseye10.10.2-3vulnerable
sid11.2.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dogtag-pkisource(unstable)(unfixed)1082868

Notes

[bullseye] - dogtag-pki <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2232218
Search for package or bug name: Reporting problems