A Reflected Cross Site Scripting flaw was found in the pki-ca module from the pki-core server. In the /ca/agent/ca/profileProcess form, the basicConstraintsPathLen parameter is not properly sanitized by the server and could allow an attacker to inject a specially crafted value that will be executed on the victim's browser.
Acknowledgments: Name: Pritam Singh (Red Hat)
Statement: This flaw is considered Low, because it requires the attacker to first request or predict a valid nonce. Without a valid nonce, no arbitrary HTML will be sent back to the victim's browser.
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1797761]
Do you know if this was reported upstream and there is an upstream fix?
Upstream is aware. There is currently no fix. However, the security consequences are very limited. e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. At the moment, the only concerns are defacing. If/when there is a fix upstream, it will be posted on this bug tracker. I hope this helps!
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10146
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847
Actual upstream commit: https://github.com/dogtagpki/pki/commit/b235c0f3c6c249dbba692410b525d8d6fb7409f4 (Marking comment 21 as private as it contains an incorrect commit -- it was in Dinesh's private fork from which the PR was opened. This commit was the one once merged.)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975