Login Sign Up

CVE-2023-4727

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass token authentication in dogtag-pki and pki-core systems via LDAP injection. By sending a sessionID=* parameter, attackers can authenticate using existing sessions stored in LDAP, potentially leading to privilege escalation. Organizations using affected versions of these PKI management systems are at risk.

💻 Affected Systems

Products:
  • dogtag-pki
  • pki-core
Versions: Multiple versions prior to patches released in RHSA-2024 advisories
Operating Systems: Red Hat Enterprise Linux and derivatives
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using token-based authentication with LDAP backend. The vulnerability is present in the default configuration when using session-based authentication.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise where attackers gain administrative privileges, access sensitive cryptographic keys, issue fraudulent certificates, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to PKI management interfaces, certificate issuance/modification, and privilege escalation within the PKI system.

🟢

If Mitigated

Limited impact with proper network segmentation, authentication controls, and monitoring in place.

🌐 Internet-Facing: HIGH - If PKI web interfaces are exposed to the internet, attackers can directly exploit this without internal access.
🏢 Internal Only: MEDIUM - Requires internal network access but can be exploited by malicious insiders or attackers who have breached perimeter defenses.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending a crafted HTTP request with sessionID=* parameter. No authentication is required to attempt the bypass, but successful exploitation depends on existing sessions in LDAP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple versions addressed in RHSA-2024:4051, RHSA-2024:4070, RHSA-2024:4164, RHSA-2024:4165, RHSA-2024:4179

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4051

Restart Required: Yes

Instructions:

1. Identify affected dogtag-pki or pki-core installations. 2. Apply the appropriate Red Hat security update for your system. 3. Restart the PKI services. 4. Verify the patch is applied and test authentication functionality.

🔧 Temporary Workarounds

Disable token authentication

linux

Temporarily disable token-based authentication until patches can be applied

# Modify pki configuration to use alternative authentication methods
# Consult product documentation for specific configuration changes

Network access restrictions

linux

Restrict access to PKI management interfaces to trusted networks only

# Use firewall rules to limit access
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port port="8443" protocol="tcp" accept'
firewall-cmd --reload

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PKI systems from untrusted networks
  • Enable detailed logging and monitoring for authentication attempts and session creation

🔍 How to Verify

Check if Vulnerable:

Check installed package versions: rpm -qa | grep -E '(dogtag-pki|pki-core)' and compare against patched versions in Red Hat advisories

Check Version:

rpm -qa | grep -E '(dogtag-pki|pki-core)'

Verify Fix Applied:

Verify package version after update: rpm -q --changelog dogtag-pki | grep -i 'CVE-2023-4727'

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Multiple failed login attempts followed by successful login with wildcard sessionID
  • LDAP queries with wildcard session parameters

Network Indicators:

  • HTTP requests containing sessionID=* parameter to PKI endpoints
  • Unusual source IPs accessing PKI management interfaces

SIEM Query:

source="pki_logs" AND (sessionID="*" OR "sessionID=*")

📊 Metadata

CVE ID: CVE-2023-4727
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-305
Published: June 11, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4727, you might also want to check these:

CVE-2025-4320 10.0

This vulnerability allows attackers to bypass authentication and exploit weak password recovery mech...

Same vulnerability type (CWE-305)
CVE-2025-24522 10.0

KUNBUS Revolution Pi OS Bookworm 01/2025 has no authentication configured by default for its Node-RE...

Same vulnerability type (CWE-305)
CVE-2025-36386 9.8

CVE-2025-36386 is an authentication bypass vulnerability in IBM Maximo Application Suite that allows...

Same vulnerability type (CWE-305)