VYPR
Vendor

PrimeKey

Products
2
CVEs
15
Across products
15
Status
Private

Products

2

Recent CVEs

15
  • CVE-2022-34831CriSep 14, 2022
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers submitted in an ACME order and the corresponding CSR submitted during finalization. During the ACME enrollment process, an order is submitted containing an…

  • CVE-2020-11630CriApr 8, 2020
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. In several sections of code, the verification of serialized objects sent between nodes (connected via the Peers protocol) allows insecure objects to be deserialized.

  • CVE-2020-25276HigSep 11, 2020
    risk 0.47cvss 7.3epss 0.00

    An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client…

  • CVE-2020-11629HigApr 8, 2020
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. The External Command Certificate Validator, which allows administrators to upload external linters to validate certificates, is supposed to save uploaded test certificates to the server. An attacker who has…

  • CVE-2020-11631MedApr 8, 2020
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. An error state can be generated in the CA UI by a malicious user. This, in turn, allows exploitation of other bugs. This follow-on exploitation can lead to privilege escalation and remote code execution.…

  • CVE-2020-11626MedApr 8, 2020
    risk 0.40cvss 6.1epss 0.00

    An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Two Cross Side Scripting (XSS) vulnerabilities have been found in the Public Web and the Certificate/CRL download servlets.

  • CVE-2022-39834MedNov 17, 2022
    risk 0.35cvss 5.4epss 0.00

    A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user.

  • CVE-2021-40088MedAug 25, 2021
    risk 0.35cvss 5.4epss 0.00

    An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints…

  • CVE-2020-11628MedApr 8, 2020
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. It is intended to support restriction of available remote protocols (CMP, ACME, REST, etc.) through the system configuration. These restrictions can be bypassed by modifying the URI string from a client.…

  • CVE-2022-40711MedJan 1, 2023
    risk 0.31cvss 4.8epss 0.00

    PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Administrator role can inject an XSS payload to target higher-privilege users.

  • CVE-2022-26494MedMar 21, 2022
    risk 0.31cvss 4.8epss 0.01

    An XSS was identified in the Admin Web interface of PrimeKey SignServer before 5.8.1. JavaScript code must be used in a worker name before a Generate CSR request. Only an administrator can update a worker name.

  • CVE-2020-28942MedNov 19, 2020
    risk 0.28cvss 4.3epss 0.00

    An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited…

  • CVE-2021-40087LowAug 25, 2021
    risk 0.18cvss 2.7epss 0.00

    An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an…

  • CVE-2021-40089LowAug 25, 2021
    risk 0.15cvss 2.3epss 0.00

    An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With…

  • CVE-2021-40086LowAug 25, 2021
    risk 0.14cvss 2.2epss 0.01

    An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the…