Vulnerabilities > Freeipa > High

DATE CVE VULNERABILITY TITLE RISK
2024-06-12 CVE-2024-2698 Incorrect Authorization vulnerability in Freeipa 4.11.0/4.11.1/4.12.0
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets.
network
low complexity
freeipa CWE-863
8.8
2019-11-27 CVE-2019-14867 Resource Exhaustion vulnerability in multiple products
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data.
network
low complexity
freeipa fedoraproject CWE-400
8.8
2019-11-25 CVE-2012-5631 Reliance on Cookies without Validation and Integrity Checking vulnerability in Freeipa 3.0.0
ipa 3.0 does not properly check server identity before sending credential containing cookies
network
low complexity
freeipa CWE-565
8.8
2018-07-27 CVE-2017-2590 Permission Issues vulnerability in multiple products
A vulnerability was found in ipa before 4.4.
network
low complexity
freeipa redhat CWE-275
8.1
2018-01-10 CVE-2017-12169 Information Exposure vulnerability in Freeipa
It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission.
network
low complexity
freeipa CWE-200
7.5
2017-09-28 CVE-2017-11191 Session Fixation vulnerability in Freeipa
FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session.
network
low complexity
freeipa CWE-384
8.8
2017-09-20 CVE-2015-5179 Improper Input Validation vulnerability in Freeipa
FreeIPA might display user data improperly via vectors involving non-printable characters.
network
low complexity
freeipa CWE-20
7.5
2017-08-28 CVE-2016-7030 Credentials Management vulnerability in Freeipa 4.6.0
FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on.
network
low complexity
freeipa CWE-255
7.5
2017-06-27 CVE-2016-5414 Improper Access Control vulnerability in Freeipa 4.4.0
FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name for services.
network
low complexity
freeipa CWE-284
7.5