Alma Linux: CVE-2023-5455: Moderate: idm:DL1 security update (Multiple Advisories)

Alma Linux: CVE-2023-5455: Moderate: idm:DL1 security update (Multiple Advisories)

Severity

7

CVSS

(AV:N/AC:M/Au:N/C:N/I:C/A:N)

Published

01/10/2024

Created

01/16/2024

Added

01/15/2024

Modified

01/28/2025

Description

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Solution(s)

• alma-upgrade-bind-dyndb-ldap
• alma-upgrade-custodia
• alma-upgrade-ipa-client
• alma-upgrade-ipa-client-common
• alma-upgrade-ipa-client-epn
• alma-upgrade-ipa-client-samba
• alma-upgrade-ipa-common
• alma-upgrade-ipa-healthcheck
• alma-upgrade-ipa-healthcheck-core
• alma-upgrade-ipa-python-compat
• alma-upgrade-ipa-selinux
• alma-upgrade-ipa-server
• alma-upgrade-ipa-server-common
• alma-upgrade-ipa-server-dns
• alma-upgrade-ipa-server-trust-ad
• alma-upgrade-opendnssec
• alma-upgrade-python3-custodia
• alma-upgrade-python3-ipaclient
• alma-upgrade-python3-ipalib
• alma-upgrade-python3-ipaserver
• alma-upgrade-python3-ipatests
• alma-upgrade-python3-jwcrypto
• alma-upgrade-python3-kdcproxy
• alma-upgrade-python3-pyusb
• alma-upgrade-python3-qrcode
• alma-upgrade-python3-qrcode-core
• alma-upgrade-python3-yubico
• alma-upgrade-slapi-nis
• alma-upgrade-softhsm
• alma-upgrade-softhsm-devel

References

• https://attackerkb.com/topics/cve-2023-5455
• CVE - 2023-5455
• https://errata.almalinux.org/8/ALSA-2024-0143.html
• https://errata.almalinux.org/9/ALSA-2024-0141.html