CVE-2020-28942

Published: Nov 19, 2020 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2020-21330 Aliases: GSD-2020-28942

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 4,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: low

Availability: none

MEDIUM 4,0

Source: [email protected]

Access Vector: network

Access Complexity: low

Authentication: single

Confidentiality: none

Integrity: partial

Availability: none

Description

AI Translation Available

An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set of allowed CAs, thus restricting the accessibility of that RA to the rights it has within a specific role. While this works for other protocols such as CMP, it was found that the EJBCA enrollment over an EST implementation bypasses this check, allowing enrollment with a valid client certificate through any functioning and authenticated RA connected to the CA. NOTE: an attacker must already have a trusted client certificate and authorization to enroll against the targeted CA.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0010

Percentile

0,3th

Updated

EPSS Score Trend (Last 91 Days)

295

Improper Certificate Validation

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Authentication

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity

Applicable Platforms

Technologies: Mobile, Not Technology-Specific, Web Based

View CWE Details

Application

Ejbca by Primekey

Product Information

Vendor Primekey

Product Ejbca

Version Range Affected

To 7.4.3 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:primekey:ejbca:*:*:*:*:enterprise:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://support.primekey.com/news/posts/40

Vendor Advisory

https://support.primekey.com/news/posts/40

Vendor Advisory

https://support.primekey.com/news/posts/40

CVE-2020-28942

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 91 Days)

Improper Certificate Validation

Common Consequences

Applicable Platforms

Ejbca by Primekey

Product Information

Iscriviti alla newsletter