PyPi: Ipa

CVE-2023-5455

Safety vulnerability ID: 65209

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 10, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

A Cross-site request forgery vulnerability exists in ipa/session/login_password. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points, FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for the reflection of a cookie representing an already logged-in user. An attacker would always have to go through a new authentication attempt.

Affected package

ipa

Latest version: 4.12.2

Dummy package for FreeIPA

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5455

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): NONE