6.5
CVSSv3

CVE-2023-5455

Published: 10/01/2024 Updated: 21/11/2024

Vulnerability Summary

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an malicious user to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Vulnerable Product Search on Vulmon Subscribe to Product

freeipa freeipa

freeipa freeipa 4.11.0

fedoraproject fedora 38

fedoraproject fedora 39

fedoraproject fedora 40

redhat codeready linux builder -

redhat enterprise linux 7.0

redhat enterprise linux 8.0

redhat enterprise linux 8.4

redhat enterprise linux 9.0

redhat enterprise linux desktop 7.0

redhat enterprise linux eus 8.6

redhat enterprise linux eus 8.8

redhat enterprise linux eus 9.0

redhat enterprise linux eus 9.2

redhat enterprise linux for arm 64 eus 8.8

redhat enterprise linux for arm 64 eus 9.0

redhat enterprise linux for arm 64 eus 9.2

redhat enterprise linux for ibm z systems 7.0

redhat enterprise linux for ibm z systems 8.0

redhat enterprise linux for ibm z systems 9.0

redhat enterprise linux for ibm z systems eus 8.6

redhat enterprise linux for ibm z systems eus 8.8

redhat enterprise linux for ibm z systems eus 9.0

redhat enterprise linux for ibm z systems eus 9.2

redhat enterprise linux for power big endian 7.0

redhat enterprise linux for power little endian 7.0

redhat enterprise linux for power little endian 8.0

redhat enterprise linux for power little endian 9.0

redhat enterprise linux for power little endian eus 8.6

redhat enterprise linux for power little endian eus 8.8

redhat enterprise linux for power little endian eus 9.0

redhat enterprise linux for power little endian eus 9.2

redhat enterprise linux for scientific computing 7.0

redhat enterprise linux server 9.0

redhat enterprise linux server 9.2

redhat enterprise linux server aus 8.2

redhat enterprise linux server aus 8.4

redhat enterprise linux server aus 8.6

redhat enterprise linux server aus 9.2

redhat enterprise linux server for ibm z systems 9.2

redhat enterprise linux server for power little endian update services for sap solutions 8.2

redhat enterprise linux server for power little endian update services for sap solutions 8.4

redhat enterprise linux server for power little endian update services for sap solutions 8.6

redhat enterprise linux server tus 8.2

redhat enterprise linux server tus 8.4

redhat enterprise linux server tus 8.6

redhat enterprise linux server update services for sap solutions 8.2

redhat enterprise linux server update services for sap solutions 8.6

redhat enterprise linux server update services for sap solutions 9.0

redhat enterprise linux server update services for sap solutions 9.2

redhat enterprise linux update services for sap solutions 9.0

redhat enterprise linux update services for sap solutions 9.2

redhat enterprise linux workstation 7.0

Vendor Advisories

Debian Bug report logs - #1060415 freeipa: CVE-2023-5455 Package: src:freeipa; Maintainer for src:freeipa is Debian FreeIPA Team <pkg-freeipa-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 10 Jan 2024 21:18:01 UTC Severity: important Tags: security, upstream Found in ...
Synopsis Moderate: idm:DL1 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 88 Extended Update SupportRed Hat Product Security ...
Synopsis Moderate: krb5 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for krb5 is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security has rated this u ...
Synopsis Moderate: ipa security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for ipa is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a security i ...
Synopsis Moderate: idm:DL1 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Linu ...
Synopsis Moderate: idm:DL1 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ...
Synopsis Moderate: ipa security update Type / Sévérité Security Advisory: Moderate Analyse des correctifs dans Red Hat Insights Identifiez et remédiez aux systèmes concernés par cette alerte Voir les systèmes concernés Sujet An update for ipa is now available for Red Hat Enterprise Linux 92 Extended Update SupportRed Hat ...
Synopsis Moderate: ipa security update Type / Sévérité Security Advisory: Moderate Analyse des correctifs dans Red Hat Insights Identifiez et remédiez aux systèmes concernés par cette alerte Voir les systèmes concernés Sujet An update for ipa is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat ...
Synopsis Moderate: idm:DL1 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Security ...
Synopsis Moderate: idm:DL1 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 84 Advanced Mission Critical Update Support, Red Ha ...
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity During community penetration testing it was found that for cer ...
Description<!---->A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity During community penetration testing it was ...