Vulnerability Details CVE-2019-14823
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 52.0%
CVSS Severity
CVSS v3 Score 6.8
CVSS v2 Score 5.8
References
- https://access.redhat.com/errata/RHSA-2019:3067
- https://access.redhat.com/errata/RHSA-2019:3225
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY/
- https://access.redhat.com/errata/RHSA-2019:3067
- https://access.redhat.com/errata/RHSA-2019:3225
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY/
Products affected by CVE-2019-14823
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.4.6
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.4.7
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.5.3
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.5.4
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.0
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.1
-
cpe:2.3:a:jss_cryptomanager_project:jss_cryptomanager:4.6.2
-
cpe:2.3:o:linux:linux_kernel:-
-
cpe:2.3:o:redhat:enterprise_linux:6.0
-
cpe:2.3:o:redhat:enterprise_linux:6.1
-
cpe:2.3:o:redhat:enterprise_linux:6.10
-
cpe:2.3:o:redhat:enterprise_linux:6.2
-
cpe:2.3:o:redhat:enterprise_linux:6.3
-
cpe:2.3:o:redhat:enterprise_linux:6.4
-
cpe:2.3:o:redhat:enterprise_linux:6.5
-
cpe:2.3:o:redhat:enterprise_linux:6.6
-
cpe:2.3:o:redhat:enterprise_linux:6.7
-
cpe:2.3:o:redhat:enterprise_linux:6.8
-
cpe:2.3:o:redhat:enterprise_linux:6.9
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:7.1
-
cpe:2.3:o:redhat:enterprise_linux:7.2
-
cpe:2.3:o:redhat:enterprise_linux:7.3
-
cpe:2.3:o:redhat:enterprise_linux:7.4
-
cpe:2.3:o:redhat:enterprise_linux:7.5
-
cpe:2.3:o:redhat:enterprise_linux:7.6
-
cpe:2.3:o:redhat:enterprise_linux:7.7
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_eus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0