CVE-2023-34196

HIGH

Keyfactor EJBCA < 8.0.0 - Unauthenticated CA Certificate Disclosure via RA Web Certificate Distribution Servlet

Title source: llm

Description

In the Keyfactor EJBCA before 8.0.0, the RA web certificate distribution servlet /ejbca/ra/cert allows partial denial of service due to an authentication issue. In configurations using OAuth, disclosure of CA certificates (attributes and public keys) to unauthenticated or less privileged users may occur.

References (2)

Core 2

Core References

Product

https://keyfactor.com

Mitigation, Vendor Advisory

https://support.keyfactor.com/hc/en-us/articles/16671824556827-EJBCA-Security-Advisory-Partial-denial-of-service-attack-on-certificate-distribution-servlet-ejbca-ra-cert

Scores

CVSS v3 8.2

EPSS 0.0035

EPSS Percentile 26.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

keyfactor/ejbca < 8.0.0

Published Aug 03, 2023

Tracked Since Feb 18, 2026