Bug 1695901 (CVE-2019-10179) - CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab
Summary: CVE-2019-10179 pki-core/pki-kra: Reflected XSS in recoveryID search field at ...
Keywords:
Status: NEW
Alias: CVE-2019-10179
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1797689 1842734 1724713 1724714
Blocks: 1695902
TreeView+ depends on / blocked
 
Reported: 2019-04-03 21:19 UTC by Pedro Sampaio
Modified: 2020-06-02 01:28 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-04-03 21:19:03 UTC
A flaw was found in recoveryID search field at KRA's DRM agent page in authorize recovery tab, this user input is not being sanitized and therefore it is vulnerable to a reflected XSS.

Comment 1 Cedric Buissart 2019-05-29 09:44:18 UTC
Acknowledgments:

Name: Pritam Singh (Red Hat)

Comment 7 Cedric Buissart 2020-02-03 16:30:40 UTC
Statement:

This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.

Comment 8 Cedric Buissart 2020-02-03 16:31:08 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1797689]

Comment 9 Salvatore Bonaccorso 2020-02-07 06:28:57 UTC
Do you know if this was reported in the upstream issue tracker and there is a fix?

Comment 10 Cedric Buissart 2020-02-07 14:02:39 UTC
Upstream is aware. There is currently no fix.
However, the security consequences are very limited. 
e.g. : Thanks to the webUI using client side TLS authentication, stealing a cookie will not be of much use to the attacker. 
At the moment, the only concerns are defacing.

If/when there is a fix upstream, it will be posted on this bug tracker.

I hope this helps!


Note You need to log in before you can comment on or make changes to this bug.