CVE-2019-14823
HIGHJSS CryptoManager >4.4.6-4.6.0 - Privilege Escalation
Title source: llmDescription
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
References (6)
Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14823
Exploit, Patch, Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3067
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O53NXVKMF7PJCPMCJQHLMSYCUGDHGBVE/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZZWZLNALV6AOIBIHB3ZMNA5AGZMZAIY/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENEN4DQBE6WOGEP5BQ5X62WZM7ZQEEBG/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3225
Scores
CVSS v3
7.4
EPSS
0.0086
EPSS Percentile
53.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-295
CWE-358
Status
published
Products (27)
jss_cryptomanager_project/jss_cryptomanager
4.4.6 - 4.4.7
redhat/enterprise_linux
6.0
redhat/enterprise_linux
6.1
redhat/enterprise_linux
6.2
redhat/enterprise_linux
6.3
redhat/enterprise_linux
6.4
redhat/enterprise_linux
6.5
redhat/enterprise_linux
6.6
redhat/enterprise_linux
6.7
redhat/enterprise_linux
6.8
... and 17 more
Published
Oct 14, 2019
Tracked Since
Feb 18, 2026