Search criteria

3 vulnerabilities found for enterprise_linux_server_for_ibm_z_systems by redhat

FKIE_CVE-2023-5455

Vulnerability from fkie_nvd - Published: 2024-01-10 13:15 - Updated: 2024-11-21 08:41
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0137Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0138Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0139Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0140Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0141Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0142Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0143Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0144Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0145Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0252Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-5455Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2242828Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://www.freeipa.org/release-notes/4-10-3.htmlRelease Notes
secalert@redhat.comhttps://www.freeipa.org/release-notes/4-11-1.htmlRelease Notes
secalert@redhat.comhttps://www.freeipa.org/release-notes/4-6-10.htmlRelease Notes
secalert@redhat.comhttps://www.freeipa.org/release-notes/4-9-14.htmlRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0137Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0138Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0139Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0140Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0141Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0142Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0143Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0144Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0145Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0252Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-5455Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2242828Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/
af854a3a-2127-422b-91ae-364da2661108https://www.freeipa.org/release-notes/4-10-3.htmlRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://www.freeipa.org/release-notes/4-11-1.htmlRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://www.freeipa.org/release-notes/4-6-10.htmlRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://www.freeipa.org/release-notes/4-9-14.htmlRelease Notes
Impacted products
Vendor Product Version
freeipa freeipa *
freeipa freeipa *
freeipa freeipa *
freeipa freeipa 4.11.0
freeipa freeipa 4.11.0
fedoraproject fedora 38
fedoraproject fedora 39
fedoraproject fedora 40
redhat codeready_linux_builder -
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 8.0
redhat enterprise_linux 8.4
redhat enterprise_linux 9.0
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_eus 8.8
redhat enterprise_linux_eus 9.0
redhat enterprise_linux_eus 9.2
redhat enterprise_linux_for_arm_64_eus 8.8
redhat enterprise_linux_for_arm_64_eus 9.0
redhat enterprise_linux_for_arm_64_eus 9.2
redhat enterprise_linux_for_ibm_z_systems 7.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux_for_ibm_z_systems 9.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.6
redhat enterprise_linux_for_ibm_z_systems_eus 8.8
redhat enterprise_linux_for_ibm_z_systems_eus 9.0
redhat enterprise_linux_for_ibm_z_systems_eus 9.2
redhat enterprise_linux_for_power_big_endian 7.0
redhat enterprise_linux_for_power_little_endian 7.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_power_little_endian 9.0
redhat enterprise_linux_for_power_little_endian_eus 8.6
redhat enterprise_linux_for_power_little_endian_eus 8.8
redhat enterprise_linux_for_power_little_endian_eus 9.0
redhat enterprise_linux_for_power_little_endian_eus 9.2
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_server 9.0
redhat enterprise_linux_server 9.2
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server_aus 9.2
redhat enterprise_linux_server_for_ibm_z_systems 9.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.6
redhat enterprise_linux_server_tus 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.6
redhat enterprise_linux_server_update_services_for_sap_solutions 9.0
redhat enterprise_linux_server_update_services_for_sap_solutions 9.2
redhat enterprise_linux_update_services_for_sap_solutions 9.0
redhat enterprise_linux_update_services_for_sap_solutions 9.2
redhat enterprise_linux_workstation 7.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F01233DD-A506-4E02-B824-994F14CCC178",
              "versionEndExcluding": "4.6.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE2615F6-DA17-44FD-B7BF-A82F5A005CEA",
              "versionEndExcluding": "4.9.14",
              "versionStartIncluding": "4.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "761C5CBD-6A92-48E7-8C9B-401DD6D1B59F",
              "versionEndExcluding": "4.10.3",
              "versionStartIncluding": "4.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:4.11.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "0A5B25F1-BFB1-47C8-8BDE-A0E817D175F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:4.11.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "4A1F8BF2-0FF7-40FD-A4B4-F040A07BCD64",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:codeready_linux_builder:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CD81C46-328B-412D-AF4E-68A2AD2F1A73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:arm64:*",
              "matchCriteriaId": "07670103-FC39-4797-AF5F-1604DA1E6BF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DAD1E4A-B22F-432C-97C8-D91D286535F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:arm64:*",
              "matchCriteriaId": "2244278A-3AC8-437F-9F23-6FA63E7C603D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "62C31522-0A17-4025-B269-855C7F4B45C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DDA3E5A-8754-4C48-9A27-E2415F8A6000",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "83981111-E13A-4A88-80FD-F63D7CCAA47F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AAF4A69-A4CC-409E-BC05-FABAE86321B2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "78825319-8A45-4880-B7C4-2B223029DDD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "566507B6-AC95-47F7-A3FB-C6F414E45F51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D650BFB9-4FDC-4311-8D7E-D981C8F4FA3B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EF5C4AC-CA69-41E3-AD93-7AC21931374A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "83364F5C-57F4-4D57-B54F-540CAC1D7753",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6C30A81-BF75-46CC-A05E-42BAF271D1C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "213A5029-FCF9-4EA9-AEF9-21313F6DCBD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CDCFF34-6F1D-45A1-BE37-6A0E17B04801",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4A684C7-88FD-43C4-9BDB-AE337FCBD0AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "35EEDB95-DCD1-4FED-9BBB-877B2062410C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "729C515E-1DD3-466D-A50B-AFE058FFC94A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "A49ABD84-6755-4894-AD4E-49AAD39933C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "868A6ED7-44DD-44FF-8ADD-9971298A1175",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "71DDE212-1018-4554-9C06-4908442DE134",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "37CE1DC7-72C5-483C-8921-0B462C8284D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server:9.0:*:*:*:*:*:arm64:*",
              "matchCriteriaId": "BC78EE94-02A0-441D-9723-385E6C43CF90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server:9.2:*:*:*:*:*:arm64:*",
              "matchCriteriaId": "ADEB6E4F-E680-40CC-AD70-9872BDE1C66F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "76C24D94-834A-4E9D-8F73-624AFA99AAA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F32CA554-F9D7-425B-8F1C-89678507F28C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_ibm_z_systems:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0755055-E98F-4A33-B4B9-1BFCFF03EF8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7DA6A5AF-2EBE-4ED9-B312-DCD9D150D031",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "22D095ED-9247-4133-A133-73B7668565E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "871A5C26-DB7B-4870-A5B2-5DD24C90B4A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC10D919-57FD-4725-B8D2-39ECB476902F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "1272DF03-7674-4BD4-8E64-94004B195448",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3921C1CF-A16D-4727-99AD-03EFFA7C91CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "7614E5D3-4643-4CAE-9578-9BB9D558211F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE1A81A1-63EC-431C-9CBC-8D28C15AB3E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC7D8E93-D4BE-46E7-BDE7-843BF8A33162",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "083AAC55-E87B-482A-A1F4-8F2DEB90CB23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1FD9BF0E-7ACF-4A83-B754-6E3979ED903F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Cross-site request forgery en ipa/session/login_password en todas las versiones compatibles de IPA. Este fallo permite a un atacante enga\u00f1ar al usuario para que env\u00ede una solicitud que podr\u00eda realizar acciones como el usuario, lo que resulta en una p\u00e9rdida de confidencialidad e integridad del sistema. Durante las pruebas de penetraci\u00f3n de la comunidad, se descubri\u00f3 que para ciertos endpoints HTTP, FreeIPA no garantizan la protecci\u00f3n CSRF. Debido a los detalles de implementaci\u00f3n, no se puede utilizar este fallo para reflejar una cookie que represente a un usuario que ya inici\u00f3 sesi\u00f3n. Un atacante siempre tendr\u00eda que realizar un nuevo intento de autenticaci\u00f3n."
    }
  ],
  "id": "CVE-2023-5455",
  "lastModified": "2024-11-21T08:41:47.993",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-01-10T13:15:48.643",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0137"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0138"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0139"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0140"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0141"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0142"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0143"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0144"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0145"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0252"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-10-3.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-11-1.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-6-10.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-9-14.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0137"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0138"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0139"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0140"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0141"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0142"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0143"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0144"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0145"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:0252"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-10-3.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-11-1.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-6-10.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-9-14.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2023-5455 (GCVE-0-2023-5455)

Vulnerability from cvelistv5 – Published: 2024-01-10 12:33 – Updated: 2025-11-20 18:06
VLAI?
Summary
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
Red Hat Red Hat Enterprise Linux 7 Unaffected: 0:4.6.8-5.el7_9.16 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:7::client
    cpe:/o:redhat:enterprise_linux:7::server
    cpe:/o:redhat:enterprise_linux:7::workstation
    cpe:/o:redhat:enterprise_linux:7::computenode
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8 Unaffected: 8090020231201152514.3387e3d0 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Telecommunications Update Service Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Unaffected: 8060020231208020207.ada582f1 , < * (rpm)
    cpe:/a:redhat:rhel_eus:8.6::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Unaffected: 0:1.18.2-16.el8_6 , < * (rpm)
    cpe:/o:redhat:rhel_eus:8.6::baseos
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support Unaffected: 8080020231201153604.b0a6ceea , < * (rpm)
    cpe:/a:redhat:rhel_eus:8.8::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:4.10.2-5.el9_3 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9::appstream
    cpe:/a:redhat:enterprise_linux:9::crb
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support Unaffected: 0:4.9.8-9.el9_0 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.0::appstream
    cpe:/a:redhat:rhel_eus:9.0::crb
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support Unaffected: 0:4.10.1-10.el9_2 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.2::crb
    cpe:/a:redhat:rhel_eus:9.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.726Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:0137",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0137"
          },
          {
            "name": "RHSA-2024:0138",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0138"
          },
          {
            "name": "RHSA-2024:0139",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0139"
          },
          {
            "name": "RHSA-2024:0140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0140"
          },
          {
            "name": "RHSA-2024:0141",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0141"
          },
          {
            "name": "RHSA-2024:0142",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0142"
          },
          {
            "name": "RHSA-2024:0143",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0143"
          },
          {
            "name": "RHSA-2024:0144",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0144"
          },
          {
            "name": "RHSA-2024:0145",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0145"
          },
          {
            "name": "RHSA-2024:0252",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0252"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
          },
          {
            "name": "RHBZ#2242828",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-10-3.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-11-1.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-6-10.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-9-14.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5455",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-23T16:16:21.894068Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-14T15:56:55.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7::client",
            "cpe:/o:redhat:enterprise_linux:7::server",
            "cpe:/o:redhat:enterprise_linux:7::workstation",
            "cpe:/o:redhat:enterprise_linux:7::computenode"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.6.8-5.el7_9.16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8090020231201152514.3387e3d0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.6::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8060020231208020207.ada582f1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-16.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8080020231201153604.b0a6ceea",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/a:redhat:enterprise_linux:9::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.10.2-5.el9_3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.0::appstream",
            "cpe:/a:redhat:rhel_eus:9.0::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.9.8-9.el9_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.2::crb",
            "cpe:/a:redhat:rhel_eus:9.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.10.1-10.el9_2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "idm:client/ipa",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-01-10T06:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T18:06:12.304Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:0137",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0137"
        },
        {
          "name": "RHSA-2024:0138",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0138"
        },
        {
          "name": "RHSA-2024:0139",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0139"
        },
        {
          "name": "RHSA-2024:0140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0140"
        },
        {
          "name": "RHSA-2024:0141",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0141"
        },
        {
          "name": "RHSA-2024:0142",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0142"
        },
        {
          "name": "RHSA-2024:0143",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0143"
        },
        {
          "name": "RHSA-2024:0144",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0144"
        },
        {
          "name": "RHSA-2024:0145",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0145"
        },
        {
          "name": "RHSA-2024:0252",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0252"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
        },
        {
          "name": "RHBZ#2242828",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-10-3.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-11-1.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-6-10.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-9-14.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-09T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-01-10T06:30:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Ipa: invalid csrf protection",
      "workarounds": [
        {
          "lang": "en",
          "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
        }
      ],
      "x_redhatCweChain": "CWE-352: Cross-Site Request Forgery (CSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-5455",
    "datePublished": "2024-01-10T12:33:00.336Z",
    "dateReserved": "2023-10-09T04:39:08.777Z",
    "dateUpdated": "2025-11-20T18:06:12.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-5455 (GCVE-0-2023-5455)

Vulnerability from nvd – Published: 2024-01-10 12:33 – Updated: 2025-11-20 18:06
VLAI?
Summary
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
Red Hat Red Hat Enterprise Linux 7 Unaffected: 0:4.6.8-5.el7_9.16 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:7::client
    cpe:/o:redhat:enterprise_linux:7::server
    cpe:/o:redhat:enterprise_linux:7::workstation
    cpe:/o:redhat:enterprise_linux:7::computenode
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8 Unaffected: 8090020231201152514.3387e3d0 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Telecommunications Update Service Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Unaffected: 8020020231123154806.792f4060 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.2::appstream
    cpe:/a:redhat:rhel_aus:8.2::appstream
    cpe:/a:redhat:rhel_tus:8.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Unaffected: 8040020231123154610.5b01ab7e , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.4::appstream
    cpe:/a:redhat:rhel_aus:8.4::appstream
    cpe:/a:redhat:rhel_tus:8.4::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Unaffected: 8060020231208020207.ada582f1 , < * (rpm)
    cpe:/a:redhat:rhel_eus:8.6::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Unaffected: 0:1.18.2-16.el8_6 , < * (rpm)
    cpe:/o:redhat:rhel_eus:8.6::baseos
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support Unaffected: 8080020231201153604.b0a6ceea , < * (rpm)
    cpe:/a:redhat:rhel_eus:8.8::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:4.10.2-5.el9_3 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9::appstream
    cpe:/a:redhat:enterprise_linux:9::crb
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support Unaffected: 0:4.9.8-9.el9_0 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.0::appstream
    cpe:/a:redhat:rhel_eus:9.0::crb
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support Unaffected: 0:4.10.1-10.el9_2 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.2::crb
    cpe:/a:redhat:rhel_eus:9.2::appstream
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
 Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.726Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:0137",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0137"
          },
          {
            "name": "RHSA-2024:0138",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0138"
          },
          {
            "name": "RHSA-2024:0139",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0139"
          },
          {
            "name": "RHSA-2024:0140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0140"
          },
          {
            "name": "RHSA-2024:0141",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0141"
          },
          {
            "name": "RHSA-2024:0142",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0142"
          },
          {
            "name": "RHSA-2024:0143",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0143"
          },
          {
            "name": "RHSA-2024:0144",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0144"
          },
          {
            "name": "RHSA-2024:0145",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0145"
          },
          {
            "name": "RHSA-2024:0252",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0252"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
          },
          {
            "name": "RHBZ#2242828",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-10-3.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-11-1.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-6-10.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freeipa.org/release-notes/4-9-14.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5455",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-23T16:16:21.894068Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-14T15:56:55.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7::client",
            "cpe:/o:redhat:enterprise_linux:7::server",
            "cpe:/o:redhat:enterprise_linux:7::workstation",
            "cpe:/o:redhat:enterprise_linux:7::computenode"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.6.8-5.el7_9.16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8090020231201152514.3387e3d0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.2::appstream",
            "cpe:/a:redhat:rhel_aus:8.2::appstream",
            "cpe:/a:redhat:rhel_tus:8.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8020020231123154806.792f4060",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.4::appstream",
            "cpe:/a:redhat:rhel_aus:8.4::appstream",
            "cpe:/a:redhat:rhel_tus:8.4::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8040020231123154610.5b01ab7e",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.6::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8060020231208020207.ada582f1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.6::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.18.2-16.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.8::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "idm:DL1",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "8080020231201153604.b0a6ceea",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/a:redhat:enterprise_linux:9::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.10.2-5.el9_3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.0::appstream",
            "cpe:/a:redhat:rhel_eus:9.0::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.9.8-9.el9_0",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.2::crb",
            "cpe:/a:redhat:rhel_eus:9.2::appstream"
          ],
          "defaultStatus": "affected",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.10.1-10.el9_2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "ipa",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "idm:client/ipa",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "krb5",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-01-10T06:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T18:06:12.304Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:0137",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0137"
        },
        {
          "name": "RHSA-2024:0138",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0138"
        },
        {
          "name": "RHSA-2024:0139",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0139"
        },
        {
          "name": "RHSA-2024:0140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0140"
        },
        {
          "name": "RHSA-2024:0141",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0141"
        },
        {
          "name": "RHSA-2024:0142",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0142"
        },
        {
          "name": "RHSA-2024:0143",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0143"
        },
        {
          "name": "RHSA-2024:0144",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0144"
        },
        {
          "name": "RHSA-2024:0145",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0145"
        },
        {
          "name": "RHSA-2024:0252",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0252"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-5455"
        },
        {
          "name": "RHBZ#2242828",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242828"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-10-3.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-11-1.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-6-10.html"
        },
        {
          "url": "https://www.freeipa.org/release-notes/4-9-14.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-09T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-01-10T06:30:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Ipa: invalid csrf protection",
      "workarounds": [
        {
          "lang": "en",
          "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
        }
      ],
      "x_redhatCweChain": "CWE-352: Cross-Site Request Forgery (CSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-5455",
    "datePublished": "2024-01-10T12:33:00.336Z",
    "dateReserved": "2023-10-09T04:39:08.777Z",
    "dateUpdated": "2025-11-20T18:06:12.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}