Unrated severityNVD Advisory· Published Jan 10, 2024· Updated Mar 18, 2026
Ipa: invalid csrf protection
CVE-2023-5455
Description
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
Affected products
41- Red Hat/Red Hat Enterprise Linux 8v52 versions
cpe:/a:redhat:enterprise_linux:8::appstream+ 1 more
- cpe:/a:redhat:enterprise_linux:8::appstreamrange: 8090020231201152514.3387e3d0
- cpe:/o:redhat:enterprise_linux:8
- Red Hat/Red Hat Enterprise Linux 9v5cpe:/a:redhat:enterprise_linux:9::crbRange: 0:4.10.2-5.el9_3
- Red Hat/Red Hat Enterprise Linux 8.2 Update Services for SAP Solutionsv5cpe:/a:redhat:rhel_aus:8.2::appstreamRange: 8020020231123154806.792f4060
- Red Hat/Red Hat Enterprise Linux 8.4 Update Services for SAP Solutionsv5cpe:/a:redhat:rhel_aus:8.4::appstreamRange: 8040020231123154610.5b01ab7e
- Red Hat/Red Hat Enterprise Linux 8.6 Extended Update Supportv5cpe:/a:redhat:rhel_eus:8.6::appstreamRange: 8060020231208020207.ada582f1
- Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Supportv5cpe:/a:redhat:rhel_eus:8.8::appstreamRange: 8080020231201153604.b0a6ceea
- Red Hat/Red Hat Enterprise Linux 9.0 Extended Update Supportv5cpe:/a:redhat:rhel_eus:9.0::appstreamRange: 0:4.9.8-9.el9_0
- Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5cpe:/a:redhat:rhel_eus:9.2::appstreamRange: 0:4.10.1-10.el9_2
- Red Hat/Red Hat Enterprise Linux 6v5cpe:/o:redhat:enterprise_linux:6
- Red Hat/Red Hat Enterprise Linux 7v5cpe:/o:redhat:enterprise_linux:7::serverRange: 0:4.6.8-5.el7_9.16
- osv-coords30 versionspkg:rpm/almalinux/bind-dyndb-ldappkg:rpm/almalinux/custodiapkg:rpm/almalinux/ipa-clientpkg:rpm/almalinux/ipa-client-commonpkg:rpm/almalinux/ipa-client-epnpkg:rpm/almalinux/ipa-client-sambapkg:rpm/almalinux/ipa-commonpkg:rpm/almalinux/ipa-healthcheckpkg:rpm/almalinux/ipa-healthcheck-corepkg:rpm/almalinux/ipa-python-compatpkg:rpm/almalinux/ipa-selinuxpkg:rpm/almalinux/ipa-serverpkg:rpm/almalinux/ipa-server-commonpkg:rpm/almalinux/ipa-server-dnspkg:rpm/almalinux/ipa-server-trust-adpkg:rpm/almalinux/opendnssecpkg:rpm/almalinux/python3-custodiapkg:rpm/almalinux/python3-ipaclientpkg:rpm/almalinux/python3-ipalibpkg:rpm/almalinux/python3-ipaserverpkg:rpm/almalinux/python3-ipatestspkg:rpm/almalinux/python3-jwcryptopkg:rpm/almalinux/python3-kdcproxypkg:rpm/almalinux/python3-pyusbpkg:rpm/almalinux/python3-qrcodepkg:rpm/almalinux/python3-qrcode-corepkg:rpm/almalinux/python3-yubicopkg:rpm/almalinux/slapi-nispkg:rpm/almalinux/softhsmpkg:rpm/almalinux/softhsm-devel
< 11.6-4.module_el8.6.0+3339+9b5fdd22+ 29 more
- (no CPE)range: < 11.6-4.module_el8.6.0+3339+9b5fdd22
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 0.12-3.module_el8.9.0+3651+d05ea4c5
- (no CPE)range: < 0.12-3.module_el8.9.0+3651+d05ea4c5
- (no CPE)range: < 4.9.12-11.module_el8.9.0+3715+e4197dc9.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 2.1.7-1.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 4.10.2-5.el9_3.alma.1
- (no CPE)range: < 0.5.0-1.1.module_el8.7.0+3349+cfeff52e
- (no CPE)range: < 0.4-5.module_el8.9.0+3682+f63caf3e
- (no CPE)range: < 1.0.0-9.1.module_el8.7.0+3349+cfeff52e
- (no CPE)range: < 5.1-12.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 5.1-12.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 1.3.2-9.1.module_el8.7.0+3349+cfeff52e
- (no CPE)range: < 0.60.0-4.module_el8.9.0+3682+f63caf3e.alma.1
- (no CPE)range: < 2.6.0-5.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 2.6.0-5.module_el8.6.0+2881+2f24dc92
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- access.redhat.com/errata/RHSA-2024:0137mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0138mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0139mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0140mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0141mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0142mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0143mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0144mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0145mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-5455mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- www.freeipa.org/release-notes/4-10-3.htmlmitre
- www.freeipa.org/release-notes/4-11-1.htmlmitre
- www.freeipa.org/release-notes/4-6-10.htmlmitre
- www.freeipa.org/release-notes/4-9-14.htmlmitre
News mentions
0No linked articles in our index yet.