A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.
2019-10-14T20:15:10.540
2024-11-21T04:27:26.320
Modified
CVSSv3.1: 7.4 (HIGH)
AV:N/AC:M/Au:N/C:P/I:P/A:N
8.6
4.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | jss_cryptomanager_project | jss_cryptomanager | ≤ 4.4.7 | Yes |
| Application | jss_cryptomanager_project | jss_cryptomanager | ≤ 4.5.4 | Yes |
| Application | jss_cryptomanager_project | jss_cryptomanager | ≤ 4.6.2 | Yes |
| Operating System | linux | linux_kernel | - | No |
| Operating System | redhat | enterprise_linux | 6.0 | Yes |
| Operating System | redhat | enterprise_linux | 6.1 | Yes |
| Operating System | redhat | enterprise_linux | 6.2 | Yes |
| Operating System | redhat | enterprise_linux | 6.3 | Yes |
| Operating System | redhat | enterprise_linux | 6.4 | Yes |
| Operating System | redhat | enterprise_linux | 6.5 | Yes |
| Operating System | redhat | enterprise_linux | 6.6 | Yes |
| Operating System | redhat | enterprise_linux | 6.7 | Yes |
| Operating System | redhat | enterprise_linux | 6.8 | Yes |
| Operating System | redhat | enterprise_linux | 6.9 | Yes |
| Operating System | redhat | enterprise_linux | 6.10 | Yes |
| Operating System | redhat | enterprise_linux | 7.0 | Yes |
| Operating System | redhat | enterprise_linux | 7.1 | Yes |
| Operating System | redhat | enterprise_linux | 7.2 | Yes |
| Operating System | redhat | enterprise_linux | 7.3 | Yes |
| Operating System | redhat | enterprise_linux | 7.4 | Yes |
| Operating System | redhat | enterprise_linux | 7.5 | Yes |
| Operating System | redhat | enterprise_linux | 7.6 | Yes |
| Operating System | redhat | enterprise_linux | 7.7 | Yes |
| Operating System | redhat | enterprise_linux | 8.0 | Yes |
| Operating System | linux | linux_kernel | - | No |
| Operating System | redhat | enterprise_linux_desktop | 7.0 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_server | 7.0 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_workstation | 7.0 | Yes |
| Operating System | linux | linux_kernel | - | No |