In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-07-14T13:46:58
Updated: 2024-08-04T13:22:30.811Z
Reserved: 2020-07-14T00:00:00
Link: CVE-2020-15720
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-07-14T14:15:17.713
Modified: 2024-11-21T05:06:06.093
Link: CVE-2020-15720
Redhat