CVE-2019-14823

moderate-risk
Published 2019-10-14

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10 High
NETWORK / HIGH complexity

Affected Products (20)

Jss Cryptomanager

Affected Vendors

Redhat Jss Cryptomanager Project

References (12)

Exploit https://access.redhat.com/errata/RHSA-2019:3067
https://access.redhat.com/errata/RHSA-2019:3225
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Exploit https://access.redhat.com/errata/RHSA-2019:3067
https://access.redhat.com/errata/RHSA-2019:3225
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
45
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 1/34 · Minimal
Exposure 22/34 · High