Implicit Trust of Root Certificate in Leaf and Chain OCSP Policy Implementation in JSS' CryptoManager

Implicit Trust of Root Certificate in Leaf and Chain OCSP Policy Implementation in JSS' CryptoManager

CVE-2019-14823 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Learn more about our Web Application Penetration Testing UK.