A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.2 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-358,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.3 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux | 7.6 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux | 6.9 |
| jss_cryptomanager_project | jss_cryptomanager | * |
| redhat | enterprise_linux | 7.4 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.10 |
| redhat | enterprise_linux | 6.7 |
| redhat | enterprise_linux | 7.1 |
| redhat | enterprise_linux | 6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux | 6.2 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 6.3 |
| redhat | enterprise_linux | 6.6 |
| redhat | enterprise_linux | 6.5 |
| redhat | enterprise_linux | 7.5 |
| redhat | enterprise_linux | 6.1 |
| redhat | enterprise_linux | 6.8 |
| redhat | enterprise_linux | 7.7 |
| redhat | enterprise_linux | 7.2 |