Access Control Vulnerability in Dogtag PKI by Red Hat
CVE-2018-1080

7.5HIGH

Key Information:

Vendor

[unknown]

Status
Pki-core
Vendor
CVE Published:
3 July 2018

What is CVE-2018-1080?

Dogtag PKI, up to version 10.6.1, contains a vulnerability in the AAclAuthz.java component, which can lead to a reversal of ACL allow and deny rules under specific configurations. When the server is set to process allow rules prior to deny rules (authz.evaluateOrder=allow,deny), the intended access control logic is compromised, resulting in a scenario where access is improperly denied and permissions are inadvertently granted, potentially leading to privilege escalation and other unintended security consequences.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pki-core PKI 10.6.1

References

https://pagure.io/freeipa/issue/7453
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:1979
vendor-advisoryx_refsource_REDHAT
https://review.gerrithub.io/c/dogtagpki/pki/+/404435
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.