CVE Vulnerabilities

CVE-2023-5455

Cross-Site Request Forgery (CSRF)

Published: Jan 10, 2024 | Modified: Sep 16, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Weakness

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Affected Software

Name Vendor Start Version End Version
Freeipa Freeipa * 4.6.10 (excluding)
Freeipa Freeipa 4.7.0 (including) 4.9.14 (excluding)
Freeipa Freeipa 4.10.0 (including) 4.10.3 (excluding)
Freeipa Freeipa 4.11.0 (including) 4.11.0 (including)
Freeipa Freeipa 4.11.0-beta1 (including) 4.11.0-beta1 (including)
Freeipa Ubuntu bionic *
Freeipa Ubuntu lunar *
Freeipa Ubuntu mantic *
Freeipa Ubuntu trusty *
Freeipa Ubuntu trusty/esm *
Freeipa Ubuntu xenial *
Red Hat Enterprise Linux 7 RedHat ipa-0:4.6.8-5.el7_9.16 *
Red Hat Enterprise Linux 8 RedHat idm:DL1-8090020231201152514.3387e3d0 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat idm:DL1-8020020231123154806.792f4060 *
Red Hat Enterprise Linux 8.2 Telecommunications Update Service RedHat idm:DL1-8020020231123154806.792f4060 *
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions RedHat idm:DL1-8020020231123154806.792f4060 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat idm:DL1-8040020231123154610.5b01ab7e *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat idm:DL1-8040020231123154610.5b01ab7e *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat idm:DL1-8040020231123154610.5b01ab7e *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat idm:DL1-8060020231208020207.ada582f1 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat krb5-0:1.18.2-16.el8_6 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat idm:DL1-8080020231201153604.b0a6ceea *
Red Hat Enterprise Linux 9 RedHat ipa-0:4.10.2-5.el9_3 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat ipa-0:4.9.8-9.el9_0 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat ipa-0:4.10.1-10.el9_2 *

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
  • Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
  • Use the “double-submitted cookie” method as described by Felten and Zeller:
  • When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
  • Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
  • This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]

References