Headline
Vulnerability in open source identity management system Free IPA could lead to XXE attacks
Attackers could ‘take full control of the infrastructure’, warn researchers
Jessica Haworth 18 August 2022 at 15:38 UTC
Attackers could ‘take full control of the infrastructure’, warn researchers
A vulnerability in Free IPA could lead to XML external entity (XXE) attacks, researchers have warned.
FreeIPA is a free and open source identity management system and is the upstream project of Red Hat Identity Management.
A flaw, tracked as CVE-2022-2414, was found in the package, a security advisory from Red Hat warns.
Read more of the latest news about security vulnerabilities
“Access to external entities when parsing XML documents can lead to XML external entity attacks.
“This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.”
The vulnerability, which has a severity rating of 7.5 (high), was discovered by researcher Egor Dimintrenko of security research team PT Swarm.
“In some cases, it allows attackers to read the Directory Manager password from the config of FreeIPA and take full control of the infrastructure,” PT Swarm commented.
It affects Red Hat Enterprise Linux 6-9 and Red Hat Certificate System 9 and 10.
The vulnerability has been patched by Red Hat in all versions apart from Linux 6, which is out of scope. There are no known mitigations available and Red Hat urges users to update.
The Daily Swig has reached out to PT Swarm for further comment and will update this article accordingly.
YOU MAY ALSO LIKE Secure Open Source Rewards program launched to help protect critical upstream software
Related news
Red Hat Security Advisory 2023-3394-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.
An update for the pki-core:10.6 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2393: A flaw was found in pki-core, which could allow a user to get a certificate for another user identity when directory-based authentication is enabled. This flaw allows an authenticated attacker on the adjacent network to impersonate another user within the scope of the domain, but they would not be able t...
Red Hat Security Advisory 2023-1966-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.
An update for the pki-core:10.6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2414: A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to pot...
There is an unauthorized buffer overflow vulnerability in Tenda AX12 v22.03.01.21 _ cn. This vulnerability can cause the web service not to restart or even execute arbitrary code. It is a different vulnerability from CVE-2022-2414.
Red Hat Security Advisory 2022-8915-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.
An update is now available for Red Hat Certificate System 9.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2414: pki-core: access to external entities when parsing XML can lead to XXE
Red Hat Security Advisory 2022-8799-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.
An update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2414: pki-core: access to external entities when parsing XML can lead to XXE
An update for the pki-core:10.6 and pki-deps:10.6 modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2414: pki-core: access to external entities when parsing XML can lead to XXE
Red Hat Security Advisory 2022-7326-01 - The Public Key Infrastructure Core contains fundamental packages required by Red Hat Certificate System.
An update for pki-core is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2414: pki-core: access to external entities when parsing XML can lead to XXE
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.