Flaw in pki-core Allows Certificate Renewal Exploit for Red Hat Products
CVE-2021-20179

8.1HIGH

Key Information:

Vendor: Dogtagpki
Status: Pki-core
Vendor: CVE Published:; 15 March 2021

What is CVE-2021-20179?

A vulnerability exists in pki-core that allows an attacker, who has compromised a key, to repeatedly renew the associated certificate without proper revocation. This flaw endangers data confidentiality and integrity, allowing malicious actors to maintain unauthorized access or modify sensitive information. It is crucial for organizations using pki-core to apply necessary updates to mitigate these risks.

Affected Version(s)

pki-core pki-core 10.5, pki-core 10.8, pki-core 10.9, pki-core 10.10, pki-core 10.11

References

https://bugzilla.redhat.com/show_bug.cgi?id=1914379

x_refsource_MISC

https://github.com/dogtagpki/pki/pull/3478

x_refsource_MISC

https://github.com/dogtagpki/pki/pull/3477

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 15, 2021
Vulnerability Reserved
Dec 17, 2020

Dogtagpki

What is CVE-2021-20179?

Affected Version(s)

References

CVSS V3.1

Timeline