In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation. Since the verify parameter was hard-coded in all request functions, it was not possible to override the setting. As a result, tools making use of this class, such as the pki-server command, may have been vulnerable to Person-in-the-Middle attacks in certain non-localhost use cases. This is fixed in 10.9.0-b1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-07-14T13:46:58

Updated: 2024-08-04T13:22:30.811Z

Reserved: 2020-07-14T00:00:00

Link: CVE-2020-15720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-07-14T14:15:17.713

Modified: 2024-11-21T05:06:06.093

Link: CVE-2020-15720

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-06-23T00:00:00Z

Links: CVE-2020-15720 - Bugzilla