Robert Mead reported that the Registration Authority component (rhpki-ra) of the Red Hat Certificate System / Dogtag Certificate System did not properly check agent's authorizations in some CGI scripts. In deployments, where certificate requests are processed by multiple agent groups, agent from any group was able to approve or reject certificate requests in the queue for any other agent group, if he was able to guess request ID. Original report: bug #484828 Affected systems: Dogtag Certificate System Red Hat Certificate System 7.3
Upstream SVN commit: svn diff -c 377 https://pki.fedoraproject.org/svn/pki/trunk/pki
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2009:1065 https://rhn.redhat.com/errata/RHSA-2009-1065.html