{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5455", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-09T04:39:08.777Z", "datePublished": "2024-01-10T12:33:00.336Z", "dateUpdated": "2024-11-23T03:29:04.471Z"}, "containers": {"cna": {"title": "Ipa: invalid csrf protection", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ipa", "defaultStatus": "affected", "versions": [{"version": "0:4.6.8-5.el7_9.16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:7::server", "cpe:/o:redhat:enterprise_linux:7::workstation", "cpe:/o:redhat:enterprise_linux:7::computenode", "cpe:/o:redhat:enterprise_linux:7::client"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8090020231201152514.3387e3d0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8060020231208020207.ada582f1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "krb5", "defaultStatus": "affected", "versions": [{"version": "0:1.18.2-16.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_eus:8.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:DL1", "defaultStatus": "affected", "versions": [{"version": "8080020231201153604.b0a6ceea", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ipa", "defaultStatus": "affected", "versions": [{"version": "0:4.10.2-5.el9_3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ipa", "defaultStatus": "affected", "versions": [{"version": "0:4.9.8-9.el9_0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.0::crb", "cpe:/a:redhat:rhel_eus:9.0::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ipa", "defaultStatus": "affected", "versions": [{"version": "0:4.10.1-10.el9_2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream", "cpe:/a:redhat:rhel_eus:9.2::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ipa", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "idm:client/ipa", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "krb5", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0137", "name": "RHSA-2024:0137", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0138", "name": "RHSA-2024:0138", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0139", "name": "RHSA-2024:0139", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0140", "name": "RHSA-2024:0140", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0141", "name": "RHSA-2024:0141", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0142", "name": "RHSA-2024:0142", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0143", "name": "RHSA-2024:0143", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0144", "name": "RHSA-2024:0144", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0145", "name": "RHSA-2024:0145", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0252", "name": "RHSA-2024:0252", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5455", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828", "name": "RHBZ#2242828", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.freeipa.org/release-notes/4-10-3.html"}, {"url": "https://www.freeipa.org/release-notes/4-11-1.html"}, {"url": "https://www.freeipa.org/release-notes/4-6-10.html"}, {"url": "https://www.freeipa.org/release-notes/4-9-14.html"}], "datePublic": "2024-01-10T06:30:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-352: Cross-Site Request Forgery (CSRF)", "workarounds": [{"lang": "en", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}], "timeline": [{"lang": "en", "time": "2023-10-09T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-10T06:30:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T03:29:04.471Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.726Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0137", "name": "RHSA-2024:0137", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0138", "name": "RHSA-2024:0138", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0139", "name": "RHSA-2024:0139", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0140", "name": "RHSA-2024:0140", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0141", "name": "RHSA-2024:0141", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0142", "name": "RHSA-2024:0142", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0143", "name": "RHSA-2024:0143", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0144", "name": "RHSA-2024:0144", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0145", "name": "RHSA-2024:0145", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0252", "name": "RHSA-2024:0252", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5455", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828", "name": "RHBZ#2242828", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-10-3.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-11-1.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-6-10.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-9-14.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-23T16:16:21.894068Z", "id": "CVE-2023-5455", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T15:56:55.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0137", "name": "RHSA-2024:0137", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0138", "name": "RHSA-2024:0138", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0139", "name": "RHSA-2024:0139", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0140", "name": "RHSA-2024:0140", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0141", "name": "RHSA-2024:0141", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0142", "name": "RHSA-2024:0142", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0143", "name": "RHSA-2024:0143", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0144", "name": "RHSA-2024:0144", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0145", "name": "RHSA-2024:0145", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0252", "name": "RHSA-2024:0252", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5455", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828", "name": "RHBZ#2242828", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-10-3.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-11-1.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-6-10.html", "tags": ["x_transferred"]}, {"url": "https://www.freeipa.org/release-notes/4-9-14.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.726Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5455", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T16:16:21.894068Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T15:56:51.236Z"}}], "cna": {"title": "Ipa: invalid csrf protection", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:7::server", "cpe:/o:redhat:enterprise_linux:7::workstation", "cpe:/o:redhat:enterprise_linux:7::computenode", "cpe:/o:redhat:enterprise_linux:7::client"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "versions": [{"status": "unaffected", "version": "0:4.6.8-5.el7_9.16", "lessThan": "*", "versionType": "rpm"}], "packageName": "ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8090020231201152514.3387e3d0", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "versions": [{"status": "unaffected", "version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "8020020231123154806.792f4060", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "versions": [{"status": "unaffected", "version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "8040020231123154610.5b01ab7e", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:8.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "8060020231208020207.ada582f1", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhel_eus:8.6::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:1.18.2-16.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "krb5", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "versions": [{"status": "unaffected", "version": "8080020231201153604.b0a6ceea", "lessThan": "*", "versionType": "rpm"}], "packageName": "idm:DL1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:4.10.2-5.el9_3", "lessThan": "*", "versionType": "rpm"}], "packageName": "ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.0::crb", "cpe:/a:redhat:rhel_eus:9.0::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:4.9.8-9.el9_0", "lessThan": "*", "versionType": "rpm"}], "packageName": "ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.2::appstream", "cpe:/a:redhat:rhel_eus:9.2::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:4.10.1-10.el9_2", "lessThan": "*", "versionType": "rpm"}], "packageName": "ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "idm:client/ipa", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "krb5", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-10-09T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-10T06:30:00+00:00", "value": "Made public."}], "datePublic": "2024-01-10T06:30:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0137", "name": "RHSA-2024:0137", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0138", "name": "RHSA-2024:0138", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0139", "name": "RHSA-2024:0139", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0140", "name": "RHSA-2024:0140", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0141", "name": "RHSA-2024:0141", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0142", "name": "RHSA-2024:0142", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0143", "name": "RHSA-2024:0143", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0144", "name": "RHSA-2024:0144", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0145", "name": "RHSA-2024:0145", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0252", "name": "RHSA-2024:0252", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5455", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828", "name": "RHBZ#2242828", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.freeipa.org/release-notes/4-10-3.html"}, {"url": "https://www.freeipa.org/release-notes/4-11-1.html"}, {"url": "https://www.freeipa.org/release-notes/4-6-10.html"}, {"url": "https://www.freeipa.org/release-notes/4-9-14.html"}], "workarounds": [{"lang": "en", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}], "descriptions": [{"lang": "en", "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T03:29:04.471Z"}, "x_redhatCweChain": "CWE-352: Cross-Site Request Forgery (CSRF)"}}, "cveMetadata": {"cveId": "CVE-2023-5455", "state": "PUBLISHED", "dateUpdated": "2024-11-23T03:29:04.471Z", "dateReserved": "2023-10-09T04:39:08.777Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-01-10T12:33:00.336Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*", "matchCriteriaId": "F01233DD-A506-4E02-B824-994F14CCC178", "versionEndExcluding": "4.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE2615F6-DA17-44FD-B7BF-A82F5A005CEA", "versionEndExcluding": "4.9.14", "versionStartIncluding": "4.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*", "matchCriteriaId": "761C5CBD-6A92-48E7-8C9B-401DD6D1B59F", "versionEndExcluding": "4.10.3", "versionStartIncluding": "4.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:freeipa:freeipa:4.11.0:-:*:*:*:*:*:*", "matchCriteriaId": "0A5B25F1-BFB1-47C8-8BDE-A0E817D175F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:freeipa:freeipa:4.11.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "4A1F8BF2-0FF7-40FD-A4B4-F040A07BCD64", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*", "matchCriteriaId": "1CD81C46-328B-412D-AF4E-68A2AD2F1A73", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:arm64:*", "matchCriteriaId": "07670103-FC39-4797-AF5F-1604DA1E6BF5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "5DAD1E4A-B22F-432C-97C8-D91D286535F1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:arm64:*", "matchCriteriaId": "2244278A-3AC8-437F-9F23-6FA63E7C603D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "62C31522-0A17-4025-B269-855C7F4B45C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "4DDA3E5A-8754-4C48-9A27-E2415F8A6000", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "83981111-E13A-4A88-80FD-F63D7CCAA47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "6AAF4A69-A4CC-409E-BC05-FABAE86321B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "78825319-8A45-4880-B7C4-2B223029DDD3", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "566507B6-AC95-47F7-A3FB-C6F414E45F51", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "D650BFB9-4FDC-4311-8D7E-D981C8F4FA3B", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "9EF5C4AC-CA69-41E3-AD93-7AC21931374A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "83364F5C-57F4-4D57-B54F-540CAC1D7753", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "B6C30A81-BF75-46CC-A05E-42BAF271D1C4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "213A5029-FCF9-4EA9-AEF9-21313F6DCBD8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1CDCFF34-6F1D-45A1-BE37-6A0E17B04801", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4A684C7-88FD-43C4-9BDB-AE337FCBD0AB", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "35EEDB95-DCD1-4FED-9BBB-877B2062410C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "729C515E-1DD3-466D-A50B-AFE058FFC94A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "A49ABD84-6755-4894-AD4E-49AAD39933C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "868A6ED7-44DD-44FF-8ADD-9971298A1175", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "71DDE212-1018-4554-9C06-4908442DE134", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "37CE1DC7-72C5-483C-8921-0B462C8284D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:9.0:*:*:*:*:*:arm64:*", "matchCriteriaId": "BC78EE94-02A0-441D-9723-385E6C43CF90", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:9.2:*:*:*:*:*:arm64:*", "matchCriteriaId": "ADEB6E4F-E680-40CC-AD70-9872BDE1C66F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "76C24D94-834A-4E9D-8F73-624AFA99AAA2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "F32CA554-F9D7-425B-8F1C-89678507F28C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_ibm_z_systems:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "E0755055-E98F-4A33-B4B9-1BFCFF03EF8E", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "7DA6A5AF-2EBE-4ED9-B312-DCD9D150D031", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "22D095ED-9247-4133-A133-73B7668565E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "871A5C26-DB7B-4870-A5B2-5DD24C90B4A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "AC10D919-57FD-4725-B8D2-39ECB476902F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "1272DF03-7674-4BD4-8E64-94004B195448", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "3921C1CF-A16D-4727-99AD-03EFFA7C91CA", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "7614E5D3-4643-4CAE-9578-9BB9D558211F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "BE1A81A1-63EC-431C-9CBC-8D28C15AB3E5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "FC7D8E93-D4BE-46E7-BDE7-843BF8A33162", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "083AAC55-E87B-482A-A1F4-8F2DEB90CB23", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "1FD9BF0E-7ACF-4A83-B754-6E3979ED903F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-site request forgery en ipa/session/login_password en todas las versiones compatibles de IPA. Este fallo permite a un atacante enga\u00f1ar al usuario para que env\u00ede una solicitud que podr\u00eda realizar acciones como el usuario, lo que resulta en una p\u00e9rdida de confidencialidad e integridad del sistema. Durante las pruebas de penetraci\u00f3n de la comunidad, se descubri\u00f3 que para ciertos endpoints HTTP, FreeIPA no garantizan la protecci\u00f3n CSRF. Debido a los detalles de implementaci\u00f3n, no se puede utilizar este fallo para reflejar una cookie que represente a un usuario que ya inici\u00f3 sesi\u00f3n. Un atacante siempre tendr\u00eda que realizar un nuevo intento de autenticaci\u00f3n."}], "id": "CVE-2023-5455", "lastModified": "2024-11-21T08:41:47.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-10T13:15:48.643", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0137"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0138"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0139"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0140"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0141"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0142"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0143"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0144"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0145"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0252"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5455"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"}, {"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-10-3.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-11-1.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-6-10.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-9-14.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0137"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0138"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0139"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0140"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0142"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0143"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0144"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0145"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0252"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-10-3.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-11-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-6-10.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.freeipa.org/release-notes/4-9-14.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0145", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "ipa-0:4.6.8-5.el7_9.16", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0143", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "idm:DL1-8090020231201152514.3387e3d0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0144", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "idm:DL1-8020020231123154806.792f4060", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0144", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "idm:DL1-8020020231123154806.792f4060", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0144", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "idm:DL1-8020020231123154806.792f4060", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0138", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "idm:DL1-8040020231123154610.5b01ab7e", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0138", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "idm:DL1-8040020231123154610.5b01ab7e", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0138", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "idm:DL1-8040020231123154610.5b01ab7e", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0139", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "idm:DL1-8060020231208020207.ada582f1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0252", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "krb5-0:1.18.2-16.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-15T00:00:00Z"}, {"advisory": "RHSA-2024:0137", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "idm:DL1-8080020231201153604.b0a6ceea", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0141", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ipa-0:4.10.2-5.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0140", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "ipa-0:4.9.8-9.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0142", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "ipa-0:4.10.1-10.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}], "bugzilla": {"description": "ipa: Invalid CSRF protection", "id": "2242828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-352", "details": ["A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.", "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2023-5455", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ipa", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "idm:client/ipa", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-01-10T06:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5455\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5455\nhttps://www.freeipa.org/release-notes/4-10-3.html\nhttps://www.freeipa.org/release-notes/4-11-1.html\nhttps://www.freeipa.org/release-notes/4-6-10.html\nhttps://www.freeipa.org/release-notes/4-9-14.html"], "statement": "The CSRF vulnerability in ipa/session/login_password is considered a moderate issue due to the need for the attacker to trick users into submitting a request. This implies that exploitation requires user interaction for a new authentication attempt, rather than reflecting a cookie for an already logged-in user. While the vulnerability could result in a loss of confidentiality and system integrity, the specific actions and their severity are not explicitly detailed. The moderate classification suggests that, while serious, the limitations on exploitation conditions and potential impact contribute to a moderate overall severity.", "threat_severity": "Moderate", "upstream_fix": "ipa 4-11-1"}