CVE-2008-5082

Redhat Dogtag Certificate System - Authentication Bypass

Title source: rule

Description

The verifyProof function in the Token Processing System (TPS) component in Red Hat Certificate System (RHCS) 7.1 through 7.3 and Dogtag Certificate System 1.0 returns successfully even when token enrollment did not use the hardware key, which allows remote authenticated users with enrollment privileges to bypass intended authentication policies by performing enrollment with a software key.

References (6)

[Vendor Advisory] http://secunia.com/advisories/33693

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=475998

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/48331

[Vendor Advisory] https://rhn.redhat.com/errata/RHSA-2009-0007.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/33508

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/0145

Scores

EPSS 0.0020

EPSS Percentile 41.3%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

redhat/_dogtag_certificate_system

redhat/certificate_system

redhat/certificate_system

redhat/certificate_system

Timeline

Published Jan 30, 2009

Tracked Since Feb 18, 2026