Reflected Enrollment Secret Exposure in PrimeKey EJBCA

Reflected Enrollment Secret Exposure in PrimeKey EJBCA

CVE-2021-40086 · LOW Severity

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret.

Learn more about our Web Application Penetration Testing UK.