MidnightBSD

Advisories for valicert

CVE-2001-0947 HIGH

Forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA) 3.3 through 4.2.1 allows remote attackers to determine the real pathname of the server by requesting an invalid extension, which produces an error page that includes the path.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
valicert enterprise_validation_authority 3.9
valicert enterprise_validation_authority 3.3
valicert enterprise_validation_authority 3.6
valicert enterprise_validation_authority 4.0
valicert enterprise_validation_authority 3.4
valicert enterprise_validation_authority 4.2.1
valicert enterprise_validation_authority 3.7
valicert enterprise_validation_authority 3.5
valicert enterprise_validation_authority 4.1
valicert enterprise_validation_authority 4.2
valicert enterprise_validation_authority 3.8
CVE-2001-0948 HIGH

Cross-site scripting (CSS) vulnerability in ValiCert Enterprise Validation Authority (EVA) 3.3 through 4.2.1 allows remote attackers to execute arbitrary code or display false information by including HTML or script in the certificate's description, which is executed when the certificate is viewed.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
valicert enterprise_validation_authority 3.9
valicert enterprise_validation_authority 3.3
valicert enterprise_validation_authority 3.6
valicert enterprise_validation_authority 4.0
valicert enterprise_validation_authority 3.4
valicert enterprise_validation_authority 4.2.1
valicert enterprise_validation_authority 3.7
valicert enterprise_validation_authority 3.5
valicert enterprise_validation_authority 4.1
valicert enterprise_validation_authority 4.2
valicert enterprise_validation_authority 3.8
CVE-2001-0949 HIGH

Buffer overflows in forms.exe CGI program in ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 allows remote attackers to execute arbitrary code via long arguments to the parameters (1) Mode, (2) Certificate_File, (3) useExpiredCRLs, (4) listenLength, (5) maxThread, (6) maxConnPerSite, (7) maxMsgLen, (8) exitTime, (9) blockTime, (10) nextUpdatePeriod, (11) buildLocal, (12) maxOCSPValidityPeriod, (13) extension, and (14) a particular combination of parameters associated with private key generation that form a string of a certain length.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
valicert enterprise_validation_authority 3.9
valicert enterprise_validation_authority 3.3
valicert enterprise_validation_authority 3.6
valicert enterprise_validation_authority 4.0
valicert enterprise_validation_authority 3.4
valicert enterprise_validation_authority 4.2.1
valicert enterprise_validation_authority 3.7
valicert enterprise_validation_authority 3.5
valicert enterprise_validation_authority 4.1
valicert enterprise_validation_authority 4.2
valicert enterprise_validation_authority 3.8
CVE-2001-0950 HIGH

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-331,

Products Affected

Vendor Product Version
valicert enterprise_validation_authority *