CVE-2020-25276
HIGHPrimeKey EJBCA 6.x-7.x < 7.4.1 - Improper Certificate Validation in EST Client Certificate Revocation Check
Title source: llmDescription
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.)
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.primekey.com/news/posts/ejbca-security-advisory-revocation-check-not-performed-on-est-client-certificate
Scores
CVSS v3
7.3
EPSS
0.0049
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-295
Status
published
Products (1)
primekey/ejbca
7.0.0 - 7.4.1
Published
Sep 11, 2020
Tracked Since
Feb 18, 2026