Attacker Value
Unknown
CVE-2023-5455
CVE-2023-5455
(Last updated April 25, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None
General Information
Vendors
- fedoraproject,
- freeipa,
- redhat
Products
- codeready linux builder -,
- enterprise linux 7.0,
- enterprise linux 8.0,
- enterprise linux 8.4,
- enterprise linux 9.0,
- enterprise linux desktop 7.0,
- enterprise linux eus 8.6,
- enterprise linux eus 8.8,
- enterprise linux eus 9.0,
- enterprise linux eus 9.2,
- enterprise linux for arm 64 eus 8.8,
- enterprise linux for arm 64 eus 9.0,
- enterprise linux for arm 64 eus 9.2,
- enterprise linux for ibm z systems 7.0,
- enterprise linux for ibm z systems 8.0,
- enterprise linux for ibm z systems 9.0,
- enterprise linux for ibm z systems eus 8.6,
- enterprise linux for ibm z systems eus 8.8,
- enterprise linux for ibm z systems eus 9.0,
- enterprise linux for ibm z systems eus 9.2,
- enterprise linux for power big endian 7.0,
- enterprise linux for power little endian 7.0,
- enterprise linux for power little endian 8.0,
- enterprise linux for power little endian 9.0,
- enterprise linux for power little endian eus 8.6,
- enterprise linux for power little endian eus 8.8,
- enterprise linux for power little endian eus 9.0,
- enterprise linux for power little endian eus 9.2,
- enterprise linux for scientific computing 7.0,
- enterprise linux server 9.0,
- enterprise linux server 9.2,
- enterprise linux server aus 8.2,
- enterprise linux server aus 8.4,
- enterprise linux server aus 8.6,
- enterprise linux server aus 9.2,
- enterprise linux server for ibm z systems 9.2,
- enterprise linux server for power little endian update services for sap solutions 8.2,
- enterprise linux server for power little endian update services for sap solutions 8.4,
- enterprise linux server for power little endian update services for sap solutions 8.6,
- enterprise linux server tus 8.2,
- enterprise linux server tus 8.4,
- enterprise linux server tus 8.6,
- enterprise linux server update services for sap solutions 8.2,
- enterprise linux server update services for sap solutions 8.6,
- enterprise linux server update services for sap solutions 9.0,
- enterprise linux server update services for sap solutions 9.2,
- enterprise linux update services for sap solutions 9.0,
- enterprise linux update services for sap solutions 9.2,
- enterprise linux workstation 7.0,
- fedora 38,
- fedora 39,
- fedora 40,
- freeipa,
- freeipa 4.11.0
References
Miscellaneous
