CVE-2020-11628

Name of the Vulnerable Software and Affected Versions EJBCA versions prior to 6.15.2.6 EJBCA versions 7.x prior to 7.3.1.2

Description An issue was discovered that allows restrictions on available remote protocols, such as CMP, ACME, and REST, to be bypassed by modifying the URI string from a client. Although EJBCA's internal access control restrictions are still in place, and each respective protocol must be configured to allow for enrollment, the intended system configuration restrictions can be circumvented.

Recommendations For EJBCA versions prior to 6.15.2.6, update to version 6.15.2.6 or later to resolve the issue. For EJBCA versions 7.x prior to 7.3.1.2, update to version 7.3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected protocols (CMP, ACME, REST, etc.) to minimize the risk of exploitation.