1710171 – (CVE-2019-10146) CVE-2019-10146 pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page

Bug 1710171 (CVE-2019-10146) - CVE-2019-10146 pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page

Summary: CVE-2019-10146 pki-core: Reflected XSS in 'path length' constraint field in C...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-10146
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1714581 1714582 1714583 1724688 1724689 1797761 1842736 1926314 1926315
Blocks:	1710173
TreeView+	depends on / blocked

Reported:	2019-05-15 03:24 UTC by Pedro Sampaio
Modified:	2021-03-23 16:46 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A Reflected Cross Site Scripting flaw was found in the pki-ca module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:21:23 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4847	None	None	None	2020-11-04 03:14:47 UTC
Red Hat Product Errata	RHSA-2021:0819	None	None	None	2021-03-15 13:25:59 UTC
Red Hat Product Errata	RHSA-2021:0851	None	None	None	2021-03-16 13:48:11 UTC
Red Hat Product Errata	RHSA-2021:0975	None	None	None	2021-03-23 16:46:54 UTC

Description Pedro Sampaio 2019-05-15 03:24:30 UTC

A Reflected Cross Site Scripting flaw was found in the pki-ca module from the pki-core server.

In the /ca/agent/ca/profileProcess form, the basicConstraintsPathLen parameter is not properly sanitized by the server and could allow an attacker to inject a specially crafted value that will be executed on the victim's browser.

Comment 3 msiddiqu 2019-05-28 10:52:06 UTC

Acknowledgments:

Name: Pritam Singh (Red Hat)

Comment 7 Cedric Buissart 2019-05-31 10:08:09 UTC

Statement:

This flaw is considered Low, because it requires the attacker to first request or predict a valid nonce. Without a valid nonce, no arbitrary HTML will be sent back to the victim's browser.

Comment 10 Cedric Buissart 2020-02-03 19:52:31 UTC

Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797761]

Comment 11 Salvatore Bonaccorso 2020-02-07 06:26:53 UTC

Do you know if this was reported upstream and there is an upstream fix?

Comment 12 Cedric Buissart 2020-02-07 14:02:04 UTC

Upstream is aware. There is currently no fix.
However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing.

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!

Comment 22 Product Security DevOps Team 2020-11-04 02:21:23 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10146

Comment 23 errata-xmlrpc 2020-11-04 03:15:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4847 https://access.redhat.com/errata/RHSA-2020:4847

Comment 24 Alex Scheel 2020-12-02 16:36:23 UTC

Actual upstream commit:
https://github.com/dogtagpki/pki/commit/b235c0f3c6c249dbba692410b525d8d6fb7409f4

(Marking comment 21 as private as it contains an incorrect commit -- it was in Dinesh's private fork from which the PR was opened. This commit was the one once merged.)

Comment 25 errata-xmlrpc 2021-03-15 13:25:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0819 https://access.redhat.com/errata/RHSA-2021:0819

Comment 26 errata-xmlrpc 2021-03-16 13:48:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0851 https://access.redhat.com/errata/RHSA-2021:0851

Comment 27 errata-xmlrpc 2021-03-23 16:46:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0975 https://access.redhat.com/errata/RHSA-2021:0975

Note You need to log in before you can comment on or make changes to this bug.