CVE-2020-11629

Name of the Vulnerable Software and Affected Versions EJBCA versions prior to 6.15.2.6 EJBCA versions 7.x prior to 7.3.1.2

Description An issue was discovered in the External Command Certificate Validator, which allows administrators to upload external linters to validate certificates. This validator is supposed to save uploaded test certificates to the server. However, an attacker who has gained access to the CA UI could exploit this to upload malicious scripts to the server. The risks associated with this issue are negligible unless a malicious user already has gained access to the CA UI through other means.

Recommendations For EJBCA versions prior to 6.15.2.6, update to version 6.15.2.6 or later to resolve the issue. For EJBCA versions 7.x prior to 7.3.1.2, update to version 7.3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the External Command Certificate Validator to minimize the risk of exploitation.