Headline
CVE-2021-3698: 1992149 – (CVE-2021-3698) CVE-2021-3698 cockpit: authenticates with revoked certificates
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
Note: If your use of the APIs is failing with an error titled ‘API access must use the Authorization header’ then you need to read the API Authentication changes announcement
Bug 1992149 (CVE-2021-3698) - CVE-2021-3698 cockpit: authenticates with revoked certificates
Summary: CVE-2021-3698 cockpit: authenticates with revoked certificates
Keywords:
Status:
POST
Alias:
CVE-2021-3698
Product:
Security Response
Classification:
Other
Component:
vulnerability
Sub Component:
Version:
unspecified
Hardware:
All
OS:
Linux
Priority:
medium
Severity:
medium
Target Milestone:
—
Assignee:
Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
1992432 1992620 2005344 1993783 1998513
Blocks:
1988484 1992150
TreeView+
depends on / blocked
Reported:
2021-08-10 16:30 UTC by Guilherme de Almeida Suckevicz
Modified:
2022-02-28 14:42 UTC (History)
CC List:
19 users (show)
Fixed In Version:
cockpit 260
Doc Type:
If docs needed, set a value
Doc Text:
A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:
Attachments
(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)
Links
System
ID
Private
Priority
Status
Summary
Last Updated
Github
cockpit-project cockpit pull 16703
0
None
open
session: Validate client certificates against sssd’s trusted CA
2021-12-09 15:08:34 UTC