{"id":"CVE-2023-5455","details":"A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.","modified":"2026-04-02T09:47:50.690137Z","published":"2024-01-10T13:15:48.643Z","related":["ALSA-2024:0141","ALSA-2024:0143"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U76DAZZVY7V4XQBOOV5ETPTHW3A6MW5O/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFNUQH7IOHTKCTKQWFHONWGUBOUANL6I/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0143"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0141"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0144"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2023-5455"},{"type":"ADVISORY","url":"https://www.freeipa.org/release-notes/4-9-14.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0137"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0139"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0145"},{"type":"ADVISORY","url":"https://www.freeipa.org/release-notes/4-10-3.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0252"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0138"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0140"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2024:0142"},{"type":"ADVISORY","url":"https://www.freeipa.org/release-notes/4-11-1.html"},{"type":"ADVISORY","url":"https://www.freeipa.org/release-notes/4-6-10.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2242828"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freeipa/freeipa","events":[{"introduced":"0"},{"fixed":"9c617675d6676fcdb0e9d67fed6bb801e0066bfe"},{"introduced":"f84b3f39edb880183722f4814acc56ae1f8edba7"},{"fixed":"deec13573d02c9e7eabd19201b7adb1e1eccd7e3"},{"introduced":"082ec006f43883540eca48d8190c3d6bf83c9405"},{"fixed":"74710a8ed24b4b8a14a07ca0642507d260039b30"},{"introduced":"0"},{"last_affected":"63f5e576856d339a408c170461604f271cd03a5d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.6.10"},{"introduced":"4.7.0"},{"fixed":"4.9.14"},{"introduced":"4.10.0"},{"fixed":"4.10.3"},{"introduced":"0"},{"last_affected":"4.11.0-NA"}]}}],"versions":["alpha-1-9-0","alpha_1-2-1-90","alpha_1-4-1-0","alpha_1-4-2-0","alpha_1-4-4-0","alpha_2-1-9-0","alpha_2-2-1-90","alpha_3-1-9-0","alpha_4-1-9-0","alpha_5-1-9-0","alpha_5-1-9-0-1","beta_1-2-0-0","beta_1-3-0-0","beta_1-3-2-0","beta_1-3-3-0","beta_1-4-11-0","beta_2-2-0-0","beta_2-3-0-0","beta_2-3-3-0","beta_3-3-0-0","milestone_2","milestone_3","milestone_4","milestone_4_1","milestone_6","rc_1-2-0-0","rc_1-2-1-90","rc_1-3-0-0","rc_2-2-0-0","rc_2-3-0-0","rc_3-2-0-0","rc_4-7-0-1","rc_4-7-0-2","rc_4-8-0-1","rc_4-9-0-1","rc_4-9-0-2","rc_4-9-0-3","release-1-0-0","release-1-0-0-a","release-1-0-0-b","release-1-1-0","release-1-1-1","release-1-2-0","release-1-2-1","release-1-2-2","release-2-0-0","release-2-0-1","release-2-1-0","release-2-1-1","release-2-1-2","release-2-1-3","release-2-1-4","release-2-2-0","release-2-2-1","release-2.2.2","release-3-0-0","release-3-0-1","release-3-0-2","release-3-1-0","release-3-1-1","release-3-1-2","release-3-1-3","release-3-1-4","release-3-1-5","release-3-2-0","release-3-2-0-pre1","release-3-2-1","release-3-2-2","release-3-3-0","release-3-3-1","release-3-3-2","release-3-3-3","release-3-3-4","release-3-3-5","release-4-0-0","release-4-0-1","release-4-0-2","release-4-0-3","release-4-0-4","release-4-0-5","release-4-1-0","release-4-1-1","release-4-1-2","release-4-1-3","release-4-1-4","release-4-1-5","release-4-10-0","release-4-10-1","release-4-10-2","release-4-11-0","release-4-12-0","release-4-12-1","release-4-12-2","release-4-12-3","release-4-12-4","release-4-12-5","release-4-13-0","release-4-13-1","release-4-2-0","release-4-2-1","release-4-2-2","release-4-2-3","release-4-2-4","release-4-3-0","release-4-3-1","release-4-3-2","release-4-3-3","release-4-4-0","release-4-4-1","release-4-4-2","release-4-4-3","release-4-4-4","release-4-5-0","release-4-5-1","release-4-5-2","release-4-5-3","release-4-5-4","release-4-6-0","release-4-6-1","release-4-6-2","release-4-6-3","release-4-6-4","release-4-6-5","release-4-6-6","release-4-6-7","release-4-6-8","release-4-6-9","release-4-7-0","release-4-7-1","release-4-7-2","release-4-7-3","release-4-7-4","release-4-7-5","release-4-8-0","release-4-8-1","release-4-8-10","release-4-8-2","release-4-8-3","release-4-8-4","release-4-8-5","release-4-8-6","release-4-8-7","release-4-8-8","release-4-8-9","release-4-9-0","release-4-9-1","release-4-9-10","release-4-9-11","release-4-9-12","release-4-9-13","release-4-9-2","release-4-9-3","release-4-9-4","release-4-9-5","release-4-9-6","release-4-9-7","release-4-9-8","release-4-9-9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.11.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]},{"events":[{"introduced":"0"},{"last_affected":"39"}]},{"events":[{"introduced":"0"},{"last_affected":"40"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5455.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}