RHSA-2021:0947: Red Hat Security Advisory: pki-core and redhat-pki-theme security and bug fix update

An update for pki-core and redhat-pki-theme is now available for Red Hat Certificate System 9.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es):

• pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab (CVE-2019-10178)
• pki-core: unsanitized token parameters in TPS resulting in stored XSS (CVE-2019-10180)
• pki-core: Stored XSS in TPS profile creation (CVE-2020-1696) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es):
• TPS - Add logging to tdbAddCertificatesForCUID if adding or searching for cert record fails (BZ#1710978)
• TPS - Update Error Codes returned to client (CIW/ESC) to Match CS8 (BZ#1858860)
• TPS - Server side key generation is not working for Identity only tokens - Missing some commits (BZ#1858861)
• TPS does not check token cuid on the user registration record during PIN reset (BZ#1858867)
• Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 2] (BZ#1895104)
• Update RHCS version of CA, KRA, OCSP, and TKS so that it can be identified using a browser [RHCS 9.7.z BU 4] (BZ#1914474) Related CVEs:
• CVE-2019-10178: pki-core: stored Cross-site scripting (XSS) in the pki-tps web Activity tab
• CVE-2019-10180: pki-core: unsanitized token parameters in TPS resulting in stored XSS
• CVE-2020-1696: pki-core: Stored XSS in TPS profile creation