A flaw was found in a way Red Hat Certificate System handled Extensions in the certificate signing requests (CSR). All requested Extensions were added to issued certificate despite constraints defined in Certificate Authority (CA) profile. For example, CSR could contain Basic Constraints or Key Usage constraint that once copied to issued certificate would result in creation of subordinate CA certificate, even though CA configuration prohibits issuing of subordinate CA certificate, possibly leading to a bypass the intended security policy. Affected versions: Red Hat Certificate System 7.1, 7.2, 7.3 Netscape Certificate Management System 6.x
It's hard to code this correctly in CVSS v2. I think we are best to compare it to flaws where a client not verifying the basic constraints for a signed certificate, like CVE-2002-0970 or CVE-2002-0862. The same NVD CVSSv2 score is also used for cases such as when a revoked certificate is accepted by a service. So I believe this should be CVSS v2 Base score: 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P) and therefore impact=important
Lifting embargo.
Setting bug to CLOSED per conversation with QE.