CVE-2021-40088
Last modified
CVE-2021-40088 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Primekey | Ejbca | < 7.6.0 |
References
- https://support.primekey.com/news/posts/51Vendor Advisory
- https://support.primekey.com/news/posts/51Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-40088?
How severe is CVE-2021-40088?
How do I fix CVE-2021-40088?
Are you affected by CVE-2021-40088?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST