CVE-2023-5455

CVE-2023-5455 is a medium-severity vulnerability in Redhat Codeready Linux Builder with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-352.

Key facts

Description

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Frequently asked questions

What is CVE-2023-5455?
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
How severe is CVE-2023-5455?
CVE-2023-5455 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
Is CVE-2023-5455 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-5455?
CVE-2023-5455 primarily affects Redhat Codeready Linux Builder. In total, 57 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-5455?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2023-5455 have an EU (EUVD) identifier?
Yes. CVE-2023-5455 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-57769.
When was CVE-2023-5455 published?
CVE-2023-5455 was published on 2024-01-10 and last updated on 2026-06-17.

References

Affected products (57)

More vulnerabilities in Redhat Codeready Linux Builder

All CVEs affecting Redhat Codeready Linux Builder →

Other CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities

Browse all CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities →