Red Hat Certificate System pki-tps format string injection

2014.01.26

Credit: Vincent Danen

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-1886

CWE: N/A

Ogólna skala CVSS: 7.5/10

Znaczenie: 6.4/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Częściowy

It was reported that Certificate System suffers from a format string injection flaw when viewing certificates.  This could allow a remote attacker to crash the Certificate System server or, possibly, execute arbitrary code with the privileges of the user runnin the service (typically run as an unprivileged user, such as pkiuser).

This was reported against Certificate System 8.1 and may also affect Dogtag 9 and 10.

Referencje:

https://bugzilla.redhat.com/show_bug.cgi?id=924870

http://www.securityfocus.com/bid/60085

http://rhn.redhat.com/errata/RHSA-2013-0856.html

http://osvdb.org/93613

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Red Hat Certificate System pki-tps format string injection

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.