QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14823

Published: Oct 14, 2019

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

6.8

MEDIUM

Description

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Vendor	Product	Versions
Dogtag	JSS	affected `affects >= 4.4.6` affected `affects >= 4.5.3` affected `affects >= 4.6.0`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823

x_refsource_CONFIRM

vendor-advisory

x_refsource_REDHAT

FEDORA-2019-68c2fbcf82

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-4d33c62860

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-24a0a2f24e

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.