Red Hat Certificate System pki-tps format string injection

2014.01.26
Credit: Vincent Danen
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

It was reported that Certificate System suffers from a format string injection flaw when viewing certificates. This could allow a remote attacker to crash the Certificate System server or, possibly, execute arbitrary code with the privileges of the user runnin the service (typically run as an unprivileged user, such as pkiuser). This was reported against Certificate System 8.1 and may also affect Dogtag 9 and 10.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=924870
http://www.securityfocus.com/bid/60085
http://rhn.redhat.com/errata/RHSA-2013-0856.html
http://osvdb.org/93613


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top