製品・ソフトウェアに関する情報

JVN脆弱性詳細

pki-core における不正な認証に関する脆弱性

Title	pki-core における不正な認証に関する脆弱性
Summary	pki-core には、不正な認証に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 15, 2021, midnight
Registration Date	Nov. 22, 2021, 5:58 p.m.
Last Update	Nov. 22, 2021, 5:58 p.m.

CVSS3.0 : 重要
Score	8.1
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS2.0 : 警告
Score	5.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:N

Affected System

レッドハット

Red Hat Certificate System

Fedora Project

Fedora

Dogtag PKI

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-20179	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20179
Github
2	CVE-2021-20179: Fix renewal profile approval process - v10.10 #3475	https://github.com/dogtagpki/pki/pull/3475
3	CVE-2021-20179: Fix renewal profile approval process - v10.11 #3474	https://github.com/dogtagpki/pki/pull/3474
4	CVE-2021-20179: Fix renewal profile approval process - v10.5 #3478	https://github.com/dogtagpki/pki/pull/3478
5	CVE-2021-20179: Fix renewal profile approval process - v10.8 #3477	https://github.com/dogtagpki/pki/pull/3477
6	CVE-2021-20179: Fix renewal profile approval process - v10.9 #3476	https://github.com/dogtagpki/pki/pull/3476
National Vulnerability Database (NVD)
7	CVE-2021-20179	https://nvd.nist.gov/vuln/detail/CVE-2021-20179

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-863	https://cwe.mitre.org/data/definitions/863.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-344dd24c84	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HRE44N6P24AEDKRMWK7RPRLMCUUBRJII/
2	FEDORA-2021-6c412a4601	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDOLFOLEIV7I4EUC3SCZBXL6E2ER7ZEN/
3	FEDORA-2021-c0d6637ca5	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3I7BRAHLE2WWSY76W3CKFCF5WSSAE24/
Red Hat Bugzilla
4	Bug 1914379	https://bugzilla.redhat.com/show_bug.cgi?id=1914379

Change Log

No	Changed Details	Date of change
1	[2021年11月22日] 掲載	Nov. 22, 2021, 5:58 p.m.

NVD Vulnerability Information

CVE-2021-20179

Summary	A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity.
Publication Date	March 15, 2021, 10:15 p.m.
Registration Date	March 16, 2021, 10:01 a.m.
Last Update	Nov. 21, 2024, 2:46 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:dogtagpki:dogtagpki::::::::	10.5.1			10.8.0
cpe:2.3:a:dogtagpki:dogtagpki::::::::				10.5.0
cpe:2.3:a:dogtagpki:dogtagpki::::::::	10.10.1			10.11.0
cpe:2.3:a:dogtagpki:dogtagpki::::::::	10.9.1			10.10.0
cpe:2.3:a:dogtagpki:dogtagpki::::::::	10.8.1			10.9.0

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
cpe:2.3:a:redhat:certificate_system:10.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:32:::::::*
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Related information, measures and tools

No	URL	タグ
1	https://bugzilla.redhat.com/show_bug.cgi?id=1914379	Issue Tracking Patch Third Party Advisory
2	https://bugzilla.redhat.com/show_bug.cgi?id=1914379	Issue Tracking Patch Third Party Advisory
3	https://github.com/dogtagpki/pki/pull/3474	Patch Third Party Advisory
4	https://github.com/dogtagpki/pki/pull/3474	Patch Third Party Advisory
5	https://github.com/dogtagpki/pki/pull/3475	Patch Third Party Advisory
6	https://github.com/dogtagpki/pki/pull/3475	Patch Third Party Advisory
7	https://github.com/dogtagpki/pki/pull/3476	Patch Third Party Advisory
8	https://github.com/dogtagpki/pki/pull/3476	Patch Third Party Advisory
9	https://github.com/dogtagpki/pki/pull/3477	Patch Third Party Advisory
10	https://github.com/dogtagpki/pki/pull/3477	Patch Third Party Advisory
11	https://github.com/dogtagpki/pki/pull/3478	Patch Third Party Advisory
12	https://github.com/dogtagpki/pki/pull/3478	Patch Third Party Advisory
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDOLFOLEIV7I4EUC3SCZBXL6E2ER7ZEN/
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDOLFOLEIV7I4EUC3SCZBXL6E2ER7ZEN/
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRE44N6P24AEDKRMWK7RPRLMCUUBRJII/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HRE44N6P24AEDKRMWK7RPRLMCUUBRJII/
17	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3I7BRAHLE2WWSY76W3CKFCF5WSSAE24/
18	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R3I7BRAHLE2WWSY76W3CKFCF5WSSAE24/

Common Vulnerabilities List