CVE-2020-11628 Information

Description

An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP ACME REST etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client. (EJBCA’s internal access control restrictions are still in place and each respective protocol must be configured to allow for enrollment.)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://support.primekey.com/news/posts/ejbca-security-advisory-protocol-access-control-bypass

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3