CVE-2021-20179
Published: 15 March 2021
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
dogtag-pki Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Released
(10.10.2-2)
|
|
| impish |
Released
(10.10.2-2)
|
|
| jammy |
Released
(10.10.2-2)
|
|
| kinetic |
Released
(10.10.2-2)
|
|
| lunar |
Released
(10.10.2-2)
|
|
| mantic |
Released
(10.10.2-2)
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(10.10.2-2)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/dogtagpki/pki/pull/3474 upstream: https://github.com/dogtagpki/pki/pull/3475 upstream: https://github.com/dogtagpki/pki/pull/3476 upstream: https://github.com/dogtagpki/pki/pull/3477 upstream: https://github.com/dogtagpki/pki/pull/3478 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |