Vulnerability Details CVE-2019-14823
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 43.7%
CVSS Severity
CVSS v3 Score 6.8
CVSS v2 Score 5.8
References
- https://access.redhat.com/errata/RHSA-2019:3067
- https://access.redhat.com/errata/RHSA-2019:3225
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY/
- https://access.redhat.com/errata/RHSA-2019:3067
- https://access.redhat.com/errata/RHSA-2019:3225
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY/
Products affected by CVE-2019-14823
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.4.6
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.4.7
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.5.3
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.5.4
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.0
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.1
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.2
-
cpe:2.3:o:linux:linux_kernel:-
-
cpe:2.3:o:redhat:enterprise_linux:6.0
-
cpe:2.3:o:redhat:enterprise_linux:6.1
-
cpe:2.3:o:redhat:enterprise_linux:6.10
-
cpe:2.3:o:redhat:enterprise_linux:6.2
-
cpe:2.3:o:redhat:enterprise_linux:6.3
-
cpe:2.3:o:redhat:enterprise_linux:6.4
-
cpe:2.3:o:redhat:enterprise_linux:6.5
-
cpe:2.3:o:redhat:enterprise_linux:6.6
-
cpe:2.3:o:redhat:enterprise_linux:6.7
-
cpe:2.3:o:redhat:enterprise_linux:6.8
-
cpe:2.3:o:redhat:enterprise_linux:6.9
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:7.1
-
cpe:2.3:o:redhat:enterprise_linux:7.2
-
cpe:2.3:o:redhat:enterprise_linux:7.3
-
cpe:2.3:o:redhat:enterprise_linux:7.4
-
cpe:2.3:o:redhat:enterprise_linux:7.5
-
cpe:2.3:o:redhat:enterprise_linux:7.6
-
cpe:2.3:o:redhat:enterprise_linux:7.7
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_eus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0