CVE-2022-2393
First published: Fri Jun 24 2022(Updated: )
A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able to decrypt message content.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/pki-core | <0:10.5.18-23.el7 | 0:10.5.18-23.el7 |
| redhat/pki-core | <0:10.5.18-23.el7_9 | 0:10.5.18-23.el7_9 |
| redhat/pki-core | <0:11.3.0-1.el9 | 0:11.3.0-1.el9 |
| Pki-core Project Pki-core | <=10.12.4 | |
| Redhat Certificate System | =9.0 | |
| Redhat Certificate System | =10.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 |
Remedy
This flaw is not exposed if directory-based authentication is not enabled. It is not enabled by default.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2101046
- https://access.redhat.com/errata/RHSA-2022:7077
- https://access.redhat.com/errata/RHSA-2022:7086
- https://access.redhat.com/security/cve/cve-2022-2393
- https://access.redhat.com/errata/RHSA-2023:2293
- https://access.redhat.com/errata/RHSA-2023:3394
- https://www.cve.org/CVERecord?id=CVE-2022-2393 https://nvd.nist.gov/vuln/detail/CVE-2022-2393
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-2393?
CVE-2022-2393 is a vulnerability in pki-core that allows a user to get a certificate for another user identity.
How does CVE-2022-2393 affect pki-core?
CVE-2022-2393 affects pki-core when directory-based authentication is enabled.
What is the severity of CVE-2022-2393?
The severity of CVE-2022-2393 is high with a CVSS score of 7.6.
How can an attacker exploit CVE-2022-2393?
An authenticated attacker on the adjacent network can impersonate another user within the scope of the domain.
What is the remedy for CVE-2022-2393?
Update pki-core to version 0:10.5.18-23.el7, 0:10.5.18-23.el7_9, or 0:11.3.0-1.el9 to address the vulnerability.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/weakness
- agent/remedy
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2393
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/pki-core project
- canonical/pki-core project pki-core
- version/pki-core project pki-core/10.12.4
- vendor/redhat
- canonical/redhat certificate system
- version/redhat certificate system/9.0
- version/redhat certificate system/10.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0