CVSS: 6.0EPSS: 0%CPEs: 4EXPL: 0CVE-2008-5082 – System: missing public key challenge proof verification in the TPS component
https://notcve.org/view.php?id=CVE-2008-5082
The verifyProof function in the Token Processing System (TPS) component in Red Hat Certificate System (RHCS) 7.1 through 7.3 and Dogtag Certificate System 1.0 returns successfully even when token enrollment did not use the hardware key, which allows remote authenticated users with enrollment privileges to bypass intended authentication policies by performing enrollment with a software key. La función verifyProof en el componente Token Processing System (TPS) en Red Hat Certificate System (RHCS) v7.1 hasta v7.3 y Dogtag Certificate System v1.0 devuelve con éxito incluso cuando el token implicado no utiliza la clave hardware, lo cual permite a usuarios remotos autenticados con privilegios implicados evitar políticas de autenticación intencionadas implicándose con una clave software. • http://secunia.com/advisories/33693 http://www.securityfocus.com/bid/33508 http://www.vupen.com/english/advisories/2009/0145 https://bugzilla.redhat.com/show_bug.cgi?id=475998 https://exchange.xforce.ibmcloud.com/vulnerabilities/48331 https://rhn.redhat.com/errata/RHSA-2009-0007.html https://access.redhat.com/security/cve/CVE-2008-5082 • CWE-287: Improper Authentication •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2008-2367 – System: insecure config file permissions
https://notcve.org/view.php?id=CVE-2008-2367
Red Hat Certificate System 7.2 uses world-readable permissions for password.conf and unspecified other configuration files, which allows local users to discover passwords by reading these files. Red Hat Certificate System v7.2 utiliza permisos legibles por todo el mundo para password.conf y otros ficheros de configuración sin especificar, lo que permite a usuarios locales descubrir contraseñas leyendo estos ficheros. • http://secunia.com/advisories/33540 http://securitytracker.com/id?1021608 http://www.securityfocus.com/bid/33288 http://www.vupen.com/english/advisories/2009/0145 https://bugzilla.redhat.com/show_bug.cgi?id=451998 https://exchange.xforce.ibmcloud.com/vulnerabilities/48021 https://rhn.redhat.com/errata/RHSA-2009-0006.html https://rhn.redhat.com/errata/RHSA-2009-0007.html https://access.redhat.com/security/cve/CVE-2008-2367 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2008-2368 – System: plain text passwords stored in debug log
https://notcve.org/view.php?id=CVE-2008-2368
Red Hat Certificate System 7.2 stores passwords in cleartext in the UserDirEnrollment log, the RA wizard installer log, and unspecified other debug log files, and uses weak permissions for these files, which allows local users to discover passwords by reading the files. Red Hat Certificate System 7.2 almacena contraseñas en texto claro en el log UserDirEnrollment, el log RA wizard installer, y otros ficheros de log de errores sin especificar, y utiliza la debilidad en los permisos para esos ficheros, lo que permite a usuarios locales descubrir contraseñas leyendo los ficheros. • http://secunia.com/advisories/33540 http://securitytracker.com/id?1021608 http://www.securityfocus.com/bid/33288 http://www.vupen.com/english/advisories/2009/0145 https://bugzilla.redhat.com/show_bug.cgi?id=452000 https://exchange.xforce.ibmcloud.com/vulnerabilities/48022 https://rhn.redhat.com/errata/RHSA-2009-0006.html https://rhn.redhat.com/errata/RHSA-2009-0007.html https://access.redhat.com/security/cve/CVE-2008-2368 • CWE-255: Credentials Management Errors •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2008-1676 – System: incorrect handling of Extensions in CSRs (cs71)
https://notcve.org/view.php?id=CVE-2008-1676
Red Hat PKI Common Framework (rhpki-common) in Red Hat Certificate System (aka Certificate Server or RHCS) 7.1 through 7.3, and Netscape Certificate Management System 6.x, does not recognize Certificate Authority profile constraints on Extensions, which might allow remote attackers to bypass intended restrictions and conduct man-in-the-middle attacks by submitting a certificate signing request (CSR) and using the resulting certificate. Red Hat PKI Common Framework (rhpki-common) de Red Hat Certificate System (también conocido como Certificate Server o RHCS) 7.1 hasta 7.3, y Netscape Certificate Management System 6.x; no reconocen las restricciones de perfil de la Autoridad Certificadora en Extensions, esto puede permitir a atacantes remotos evitar las restricciones pretendidas y realizar ataques de hombre-en-medio (man-in-the-middle) al enviar una Solicitud de Firma de Certificado (certificate signing request (CSR)) y utilizar el certificado resultante. • http://rhn.redhat.com/errata/RHSA-2008-0500.html http://rhn.redhat.com/errata/RHSA-2008-0577.html http://secunia.com/advisories/30929 http://www.securityfocus.com/bid/30062 http://www.securitytracker.com/id?1020427 https://bugzilla.redhat.com/show_bug.cgi?id=445227 https://exchange.xforce.ibmcloud.com/vulnerabilities/43573 https://access.redhat.com/security/cve/CVE-2008-1676 • CWE-255: Credentials Management Errors CWE-297: Improper Validation of Certificate with Host Mismatch •