CVE-2020-11631

Name of the Vulnerable Software and Affected Versions EJBCA versions prior to 6.15.2.6 EJBCA versions 7.x prior to 7.3.1.2

Description An issue allows a malicious user to generate an error state in the CA UI, which can be exploited to lead to privilege escalation and remote code execution. This is only exploitable when at least one accessible port lacks a requirement for client certificate authentication, such as ports 8442 or 8080 in a standard installation.

Recommendations For EJBCA versions prior to 6.15.2.6, update to version 6.15.2.6 or later. For EJBCA versions 7.x prior to 7.3.1.2, update to version 7.3.1.2 or later. As a temporary workaround, consider requiring client certificate authentication for all accessible ports, such as 8442 and 8080, to minimize the risk of exploitation.