Bitnami package
ejbca
pkg:bitnami/ejbca
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3027 | — | >= 8.0.0, < 9.1.0 | 9.1.0 | Mar 31, 2025 | The vulnerability exists in the EJBCA service, version 8.0 Enterprise. By making a small change to the PATH of the URL associated with the service, the server fails to find the requested file and redirects to an external page. This vulnerability could allow users to be redirected | ||
| CVE-2025-3026 | — | >= 8.0.0, < 9.1.0 | 9.1.0 | Mar 31, 2025 | The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the ‘Host’ header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacke | ||
| CVE-2022-34831 | Cri | 9.8 | < 7.9.0 | 7.9.0 | Sep 14, 2022 | An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers submitted in an ACME order and the corresponding CSR submitted during finalization. During the ACME enrollment process, an order is submitted containing an ide | |
| CVE-2021-40089 | Low | 2.3 | < 7.6.0 | 7.6.0 | Aug 25, 2021 | An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With thi | |
| CVE-2021-40088 | Med | 5.4 | < 7.6.0 | 7.6.0 | Aug 25, 2021 | An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints ( | |
| CVE-2021-40087 | Low | 2.7 | < 7.6.0 | 7.6.0 | Aug 25, 2021 | An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrato | |
| CVE-2021-40086 | Low | 2.2 | < 7.6.0 | 7.6.0 | Aug 25, 2021 | An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the pa | |
| CVE-2020-28942 | Med | 4.3 | < 7.4.3 | 7.4.3 | Nov 19, 2020 | An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set | |
| CVE-2020-25276 | Hig | 7.3 | >= 7.0.0, < 7.4.1 | 7.4.1 | Sep 11, 2020 | An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates |
- CVE-2025-3027Mar 31, 2025affected >= 8.0.0, < 9.1.0fixed 9.1.0
The vulnerability exists in the EJBCA service, version 8.0 Enterprise. By making a small change to the PATH of the URL associated with the service, the server fails to find the requested file and redirects to an external page. This vulnerability could allow users to be redirected
- CVE-2025-3026Mar 31, 2025affected >= 8.0.0, < 9.1.0fixed 9.1.0
The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the ‘Host’ header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacke
- affected < 7.9.0fixed 7.9.0
An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers submitted in an ACME order and the corresponding CSR submitted during finalization. During the ACME enrollment process, an order is submitted containing an ide
- affected < 7.6.0fixed 7.6.0
An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With thi
- affected < 7.6.0fixed 7.6.0
An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (
- affected < 7.6.0fixed 7.6.0
An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrato
- affected < 7.6.0fixed 7.6.0
An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the pa
- affected < 7.4.3fixed 7.4.3
An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set
- affected >= 7.0.0, < 7.4.1fixed 7.4.1
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates