First published: Mon Oct 09 2023(Updated: )
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Freeipa Freeipa | <4.6.10 | |
Freeipa Freeipa | >=4.7.0<4.9.14 | |
Freeipa Freeipa | >=4.10.0<4.10.3 | |
Freeipa Freeipa | =4.11.0 | |
Freeipa Freeipa | =4.11.0-beta1 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Fedoraproject Fedora | =40 | |
Redhat Codeready Linux Builder | ||
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =8.4 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Eus | =8.8 | |
Redhat Enterprise Linux Eus | =9.0 | |
Redhat Enterprise Linux Eus | =9.2 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.8 | |
Redhat Enterprise Linux For Arm 64 Eus | =9.0 | |
Redhat Enterprise Linux For Arm 64 Eus | =9.2 | |
Redhat Enterprise Linux For Ibm Z Systems | =7.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =9.0 | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.6 | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.8 | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =9.0 | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =9.2 | |
Redhat Enterprise Linux For Power Big Endian | =7.0 | |
Redhat Enterprise Linux For Power Little Endian | =7.0 | |
Redhat Enterprise Linux For Power Little Endian | =8.0 | |
Redhat Enterprise Linux For Power Little Endian | =9.0 | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.6 | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.8 | |
Redhat Enterprise Linux For Power Little Endian Eus | =9.0 | |
Redhat Enterprise Linux For Power Little Endian Eus | =9.2 | |
Redhat Enterprise Linux For Scientific Computing | =7.0 | |
Redhat Enterprise Linux Server | =9.0 | |
Redhat Enterprise Linux Server | =9.2 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.6 | |
Redhat Enterprise Linux Server Aus | =9.2 | |
Redhat Enterprise Linux Server For Ibm Z Systems | =9.2 | |
Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =8.2 | |
Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =8.4 | |
Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =8.6 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.2 | |
Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.6 | |
Redhat Enterprise Linux Server Update Services For Sap Solutions | =9.0 | |
Redhat Enterprise Linux Server Update Services For Sap Solutions | =9.2 | |
Redhat Enterprise Linux Update Services For Sap Solutions | =9.0 | |
Redhat Enterprise Linux Update Services For Sap Solutions | =9.2 | |
Redhat Enterprise Linux Workstation | =7.0 | |
redhat/ipa 4-11 | <1 | 1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.