Vulnerabilities > CVE-2021-40088 - Missing Authorization vulnerability in Primekey Ejbca

CVSS 4.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

primekey

CWE-862

NVD

Published: 2021-08-25

Updated: 2021-09-07

Summary

An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant.

Vulnerable Configurations

Part	Description	Count
Application	Primekey Primekey Ejbca 6.15.2.6 Primekey Ejbca 7.0.0 Primekey Ejbca 7.3.1.2 Primekey Ejbca 7.4.1 Primekey Ejbca 7.4.3	5

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://support.primekey.com/news/posts/51