pki-core-10.5.18-12.el7
エラータID: AXSA:2021-1610:01
The Public Key Infrastructure (PKI) Core contains fundamental packages required by Asianux Certificate System.
Security Fix(es):
* pki-core: Unprivileged users can renew any certificate (CVE-2021-20179)
* pki-core: XSS in the certificate search results (CVE-2020-25715)
* pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146)
* pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179)
* pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221)
* pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Add KRA Transport and Storage Certificates profiles, audit for IPA (BZ#1883639)
CVE-2019-10146
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
CVE-2019-10179
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
CVE-2019-10221
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
CVE-2020-1721
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-25715
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-20179
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
Update packages.
A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
A Reflected Cross Site Scripting vulnerability was found in all pki-core 10.x.x versions, where the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute arbitrary code when viewed in a browser.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
N/A
SRPMS
- pki-core-10.5.18-12.el7.src.rpm
MD5: 420a0b6a446f06ac8cba022c6f1caa71
SHA-256: f2ab61029e8243cccc78a1e591475344cf7b9b57aaf487b60cc03be54d37c258
Size: 4.86 MB
Asianux Server 7 for x86_64
- pki-base-10.5.18-12.el7.noarch.rpm
MD5: 6df2b19b80d22a661cbaf9ca6e569aa2
SHA-256: c965ffac3d338c804b541df46acb70431ba58d518034dfee4ea2415e10c77dc2
Size: 427.74 kB - pki-base-java-10.5.18-12.el7.noarch.rpm
MD5: 6332e7150d0e0ffadf557bff1c3a9d7c
SHA-256: d3a52d8cdd71d76a7b34bb3170c2acdaacc1521f04b3986cac85ca6890c51561
Size: 1.21 MB - pki-ca-10.5.18-12.el7.noarch.rpm
MD5: c918ec5f788c0813181f80402db7ba9f
SHA-256: cb3a559b44f5ca27e00295094d2ecc6230b1781c78932fe5da6e0d8a78bc6a97
Size: 484.50 kB - pki-kra-10.5.18-12.el7.noarch.rpm
MD5: 0f3aa613790957d774dcfdfc75f3bc9c
SHA-256: 24727c4b1e3bf4383fb0ed0d3e99935d8754c071751ba71315ccd526f1cbaf27
Size: 306.66 kB - pki-server-10.5.18-12.el7.noarch.rpm
MD5: d2029ff7abdbd46afd7ad80b2649a04e
SHA-256: 9c5f305a7b2ee23c6a9e606131af481a354b431a7b72648b4b7f96c5156bba2f
Size: 2.94 MB - pki-symkey-10.5.18-12.el7.x86_64.rpm
MD5: f93498aae1ce081e6be8f7537ab65487
SHA-256: b8824e56d0053d2a42bf180b3d81877562711b265d4eab687e99d6badfcf983a
Size: 168.60 kB - pki-tools-10.5.18-12.el7.x86_64.rpm
MD5: 2534dafe7494aa117af7bbbe7cd09875
SHA-256: 0723f8c0862dac6eb285c9e4fbe5d040744caadcdb8529137a8fb29f897984ef
Size: 768.31 kB
日本語