Vulnerability CVE-2021-3551: Information

Description

A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Fixed packages

References to Advisories, Solutions, and Tools

1. Affected configurations:

   1. Configuration 1

      cpe:2.3:a:dogtagpki:dogtagpki:*:*:*:*:*:*:*:*

      Start including

      10.10.0

      End excliding

      10.10.6

      ---

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

      ---

      Configuration 3

      cpe:2.3:o:oracle:linux:8:-:*:*:*:*:*:*

      ---

      Configuration 4

      cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*

      ---