Ftweedal

**Name of the Vulnerable Software and Affected Versions** Dogtag PKI versions prior to 10.6.2 **Description** The issue is related to the application of ACL allow and deny rules in certain configurations, causing these rules to be reversed. Specifically, when a server is set to process allow rules before deny rules, as defined by `authz.evaluateOrder=allow,deny`, the allow rules will incorrectly deny access, while the deny rules will grant access. This reversal may lead to unintended consequences, including potential escalation of privileges. **Recommendations** For Dogtag PKI versions prior to 10.6.2, update to version 10.6.2 or later to resolve the issue. As a temporary workaround, consider changing the configuration to process deny rules before allow rules by setting `authz.evaluateOrder=deny,allow` until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** FreeIPA (affected versions not specified) **Description** The issue concerns the cert revoke command in FreeIPA, which fails to check for the `revoke certificate` permission. This allows remote authenticated users to revoke arbitrary certificates by exploiting the `retrieve certificate` permission. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.