{"containers": {"cna": {"affected": [{"product": "make-ca", "vendor": "lfs-book", "versions": [{"status": "affected", "version": ">= 0.9, < 1.10"}]}], "descriptions": [{"lang": "en", "value": "make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-115", "description": "CWE-115: Misinterpretation of Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-10T21:00:13.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lfs-book/make-ca/issues/19"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/lfs-book/make-ca/pull/20"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html"}], "source": {"advisory": "GHSA-m5qh-728v-4xrx", "discovery": "UNKNOWN"}, "title": "/etc/pki/tls and /etc/ssl/certs include distrusted certificates in make-ca", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-21672", "STATE": "PUBLIC", "TITLE": "/etc/pki/tls and /etc/ssl/certs include distrusted certificates in make-ca"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "make-ca", "version": {"version_data": [{"version_value": ">= 0.9, < 1.10"}]}}]}, "vendor_name": "lfs-book"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-115: Misinterpretation of Input"}]}]}, "references": {"reference_data": [{"name": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx", "refsource": "CONFIRM", "url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx"}, {"name": "https://github.com/lfs-book/make-ca/issues/19", "refsource": "MISC", "url": "https://github.com/lfs-book/make-ca/issues/19"}, {"name": "https://github.com/lfs-book/make-ca/pull/20", "refsource": "MISC", "url": "https://github.com/lfs-book/make-ca/pull/20"}, {"name": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html", "refsource": "MISC", "url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html"}]}, "source": {"advisory": "GHSA-m5qh-728v-4xrx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:46:39.386Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lfs-book/make-ca/issues/19"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lfs-book/make-ca/pull/20"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:12:26.450363Z", "id": "CVE-2022-21672", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:13:51.833Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-21672", "datePublished": "2022-01-10T21:00:13.000Z", "dateReserved": "2021-11-16T00:00:00.000Z", "dateUpdated": "2025-04-23T19:13:51.833Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfromscratch:make-ca:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DF45D07-0CDF-49E7-B12B-1A17B3357573", "versionEndExcluding": "1.10", "versionStartIncluding": "0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor."}, {"lang": "es", "value": "make-ca es una utilidad para entregar y administrar una configuraci\u00f3n PKI completa para estaciones de trabajo y servidores. A partir de la versi\u00f3n 0.9 y versiones anteriores a 1.10, make-ca malinterpreta Mozilla certdata.txt y trata los certificados expl\u00edcitamente no confiables como si fueran confiables, causando que esos certificados expl\u00edcitamente no confiables sean confiados por el sistema. Los certificados expl\u00edcitamente no confiables fueron usados por algunas CAs ya hackeadas. Los atacantes hostiles pueden llevar a cabo un ataque de tipo MIM explot\u00e1ndolos. Todos los que usen las versiones afectadas de make-ca deber\u00edan actualizar a make-ca-1.10, y ejecutar \"make-ca -f -g\" como usuario \"root\" para regenerar el almac\u00e9n confiable inmediatamente. Como soluci\u00f3n, los usuarios pueden borrar los certificados no confiables de /etc/pki/tls y /etc/ssl/certs manualmente (o mediante un script), pero no es recomendado porque los cambios manuales ser\u00e1n sobreescritos la pr\u00f3xima vez que sea ejecutado make-ca para actualizar el anclaje confiable"}], "id": "CVE-2022-21672", "lastModified": "2024-11-21T06:45:12.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T21:15:08.043", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/issues/19"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/pull/20"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/issues/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/pull/20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/lfs-book/make-ca/security/advisories/GHSA-m5qh-728v-4xrx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://lists.linuxfromscratch.org/sympa/arc/blfs-support/2022-01/msg00020.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-115"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}