CVE-2016-9575

First published: Tue Nov 15 2016(Updated: )

Due to a missing permission check, certprofile-mod can be used by an authenticated but unprivileged user to modify certificate profile configuration. This could allow the issuance of certificates with fraudulent subject naming information (allowing the holder of the private key to impersonate another entity), or inappropriate key usage or extended key usage information (use of certificate for unauthorised purposes e.g. code signing). Affected versions : 4.2 and above (all versions supporting certificate profiles) Upstream patch : <a href="https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=fec4c32ff15a96736740cf7d2f713a21af0b227e">https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=fec4c32ff15a96736740cf7d2f713a21af0b227e</a>

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/weakness
• agent/first-publish-date
• agent/softwarecombine
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2016-9575
• agent/software-canonical-lookup
• agent/severity
• agent/author
• agent/description
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/event
• agent/source
• agent/tags
• collector/nvd-index
• agent/software-canonical-lookup-request
• package-manager/redhat
• vendor/freeipa
• canonical/freeipa
• version/freeipa/4.2.0
• version/freeipa/4.2.0-alpha1
• version/freeipa/4.2.1
• version/freeipa/4.2.2
• version/freeipa/4.2.3
• version/freeipa/4.2.4
• version/freeipa/4.3.0
• version/freeipa/4.3.1
• version/freeipa/4.3.2
• version/freeipa/4.4.0
• version/freeipa/4.4.1
• version/freeipa/4.4.2