A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Metrics
Affected Vendors & Products
References
History
Mon, 16 Sep 2024 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-01-10T12:33:00.336Z
Updated: 2024-09-16T16:07:33.511Z
Reserved: 2023-10-09T04:39:08.777Z
Link: CVE-2023-5455
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-10T13:15:48.643
Modified: 2024-09-16T16:15:09.270
Link: CVE-2023-5455
Redhat