Hardcoded Secret in CMC Authentication Plugin Allows Certificate Issuance Bypass

Hardcoded Secret in CMC Authentication Plugin Allows Certificate Issuance Bypass

CVE-2017-7537 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates.

Learn more about our Cis Benchmark Audit For Server Software.