CVE-2018-1080

Publication date 3 July 2018

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.1 · High

Score breakdown

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules (authz.evaluateOrder=allow,deny), then allow rules will deny access and deny rules will grant access. This may result in an escalation of privileges or have other unintended consequences.

Status

Package Ubuntu Release Status
dogtag-pki 24.10 oracular Not in release
24.04 LTS noble Not in release
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy
Not affected
20.04 LTS focal
Not affected
19.10 eoan
Not affected
19.04 disco Not in release
18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
17.10 artful Ignored end of life
16.04 LTS xenial Ignored regressions likely
14.04 LTS trusty Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
dogtag-pki

Severity score breakdown

Parameter Value
Base score 8.1 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H