An issue exists in EJBCA prior to 6.15.2.6 and 7.x prior to 7.3.1.2. An error state can be generated in the CA UI by a malicious user. This, in turn, allows exploitation of other bugs. This follow-on exploitation can lead to privilege escalation and remote code execution. (This is exploitable only when at least one accessible port lacks a requirement for client certificate authentication. These ports are 8442 or 8080 in a standard installation.)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
primekey ejbca |