Issue #6713: ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590) - freeipa

freeipa

#6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590)

Closed: fixed 7 years ago Opened 7 years ago by jcholast.

Multiple security issues were found in FreeIPA's 'ca' plugin. Any authenticated but unauthorised user can delete, disable or enable CAs in Dogtag. The impact in the deletion case is denial of service for cert issuance or OCSP signing, and deletion of secret keys. The impact for disablement is denial of service for cert issuance.

jcholast commented 7 years ago

master:

b81ac59 ca: correctly authorise ca-del, ca-enable and ca-disable

ipa-4-4:

1aa314c ca: correctly authorise ca-del, ca-enable and ca-disable

Edited 7 years ago by jcholast

Metadata Update from @jcholast:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1413137
- Custom field tester adjusted to wanted

7 years ago

Metadata Update from @jcholast:
- Issue close_status updated to: fixed
- Issue set to the milestone: FreeIPA 4.4.4
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

FreeIPA 4.4.4

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1413137

tester

wanted

changelog

None

design

None

freeipa

Source Code

#6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590) Closed: fixed 7 years ago Opened 7 years ago by jcholast.

Metadata

#6713 ipa: Insufficient permission check for ca-del, ca-disable and ca-enable commands (CVE-2017-2590)

Closed: fixed 7 years ago Opened 7 years ago by jcholast.