ID CVE-2018-1080
Summary Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules (authz.evaluateOrder=allow,deny), then allow rules will deny access and deny rules will grant access. This may result in an escalation of privileges or have other unintended consequences.
References
Vulnerable Configurations
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.12:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.16:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.16:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.5.17:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.5.17:*:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:beta:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:rc:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.6.0:rc:*:*:*:*:*:*
  • cpe:2.3:a:dogtagpki:dogtagpki:10.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:dogtagpki:dogtagpki:10.6.1:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 09-10-2019 - 23:38)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1588945
title CRMFPopClient tool - should allow option to do no key archival [rhel-7.5.z]
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment pki-base is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979017
      • comment pki-base is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335018
    • AND
      • comment pki-base-java is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979009
      • comment pki-base-java is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335014
    • AND
      • comment pki-ca is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979011
      • comment pki-ca is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20130511022
    • AND
      • comment pki-javadoc is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979015
      • comment pki-javadoc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335012
    • AND
      • comment pki-kra is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979019
      • comment pki-kra is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335016
    • AND
      • comment pki-server is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979013
      • comment pki-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335020
    • AND
      • comment pki-symkey is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979005
      • comment pki-symkey is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20130511006
    • AND
      • comment pki-tools is earlier than 0:10.5.1-13.1.el7_5
        oval oval:com.redhat.rhsa:tst:20181979007
      • comment pki-tools is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172335008
rhsa
id RHSA-2018:1979
released 2018-06-26
severity Moderate
title RHSA-2018:1979: pki-core security, bug fix, and enhancement update (Moderate)
rpms
  • pki-base-0:10.5.1-13.1.el7_5
  • pki-base-java-0:10.5.1-13.1.el7_5
  • pki-ca-0:10.5.1-13.1.el7_5
  • pki-javadoc-0:10.5.1-13.1.el7_5
  • pki-kra-0:10.5.1-13.1.el7_5
  • pki-server-0:10.5.1-13.1.el7_5
  • pki-symkey-0:10.5.1-13.1.el7_5
  • pki-tools-0:10.5.1-13.1.el7_5
refmap via4
confirm
Last major update 09-10-2019 - 23:38
Published 03-07-2018 - 01:29
Back to Top