CVE-2020-11628

Published: Apr 8, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment.)

Affected (2)

Products: Primekey: Ejbca

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Primekey Ejbca	Before 6.15.2.6
Primekey Ejbca	From 7.0.0 to 7.3.1.2

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://support.primekey.com/news/posts/ejbca-security-advisory-protocol-access-control-bypass

Source: cve@mitre.org

Vendor Advisory

https://support.primekey.com/news/posts/ejbca-security-advisory-protocol-access-control-bypass

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.