A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fedoraproject
  • Fedora
Freeipa
  • Freeipa
Redhat
  • Codeready Linux Builder
  • Enterprise Linux
  • Enterprise Linux Desktop
  • Enterprise Linux Eus
  • Enterprise Linux For Arm 64 Eus
  • Enterprise Linux For Ibm Z Systems
  • Enterprise Linux For Ibm Z Systems Eus
  • Enterprise Linux For Power Big Endian
  • Enterprise Linux For Power Little Endian
  • Enterprise Linux For Power Little Endian Eus
  • Enterprise Linux For Scientific Computing
  • Enterprise Linux Server
  • Enterprise Linux Server Aus
  • Enterprise Linux Server For Ibm Z Systems
  • Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
  • Enterprise Linux Server Tus
  • Enterprise Linux Server Update Services For Sap Solutions
  • Enterprise Linux Update Services For Sap Solutions
  • Enterprise Linux Workstation
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus

Configuration 1 [-]

OR cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*
cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*
cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*
cpe:2.3:a:freeipa:freeipa:4.11.0:-:*:*:*:*:*:*
cpe:2.3:a:freeipa:freeipa:4.11.0:beta1:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:arm64:*
cpe:2.3:o:redhat:enterprise_linux:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:arm64:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.8:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:9.0:*:*:*:*:*:arm64:*
cpe:2.3:o:redhat:enterprise_linux_server:9.2:*:*:*:*:*:arm64:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_ibm_z_systems:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 7
ipa-0:4.6.8-5.el7_9.16 cpe:/o:redhat:enterprise_linux:7 RHSA-2024:0145 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8
idm:DL1-8090020231201152514.3387e3d0 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:0143 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
idm:DL1-8020020231123154806.792f4060 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:0144 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
idm:DL1-8020020231123154806.792f4060 cpe:/a:redhat:rhel_tus:8.2 RHSA-2024:0144 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
idm:DL1-8020020231123154806.792f4060 cpe:/a:redhat:rhel_e4s:8.2 RHSA-2024:0144 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
idm:DL1-8040020231123154610.5b01ab7e cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:0138 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
idm:DL1-8040020231123154610.5b01ab7e cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:0138 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
idm:DL1-8040020231123154610.5b01ab7e cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:0138 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
idm:DL1-8060020231208020207.ada582f1 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:0139 2024-01-10T00:00:00Z
krb5-0:1.18.2-16.el8_6 cpe:/o:redhat:rhel_eus:8.6 RHSA-2024:0252 2024-01-15T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
idm:DL1-8080020231201153604.b0a6ceea cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:0137 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 9
ipa-0:4.10.2-5.el9_3 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:0141 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
ipa-0:4.9.8-9.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:0140 2024-01-10T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
ipa-0:4.10.1-10.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:0142 2024-01-10T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:0137 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0138 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0139 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0140 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0141 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0142 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0143 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0144 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0145 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0252 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-5455 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2242828 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-5455 cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-5455 cve-icon
https://www.freeipa.org/release-notes/4-10-3.html cve-icon cve-icon cve-icon
https://www.freeipa.org/release-notes/4-11-1.html cve-icon cve-icon cve-icon
https://www.freeipa.org/release-notes/4-6-10.html cve-icon cve-icon cve-icon
https://www.freeipa.org/release-notes/4-9-14.html cve-icon cve-icon cve-icon
History

Mon, 16 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
References
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-01-10T12:33:00.336Z

Updated: 2024-09-16T16:07:33.511Z

Reserved: 2023-10-09T04:39:08.777Z

Link: CVE-2023-5455

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2024-01-10T13:15:48.643

Modified: 2024-09-16T16:15:09.270

Link: CVE-2023-5455

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-01-10T06:30:00Z

Links: CVE-2023-5455 - Bugzilla