CVE-2020-25276

Name of the Vulnerable Software and Affected Versions PrimeKey EJBCA versions 6.x through 7.4.0

Description An issue was discovered where no revocation check is performed on a client certificate when enrolling over the EST protocol. This can affect systems with EST configured, using client certificates for enrollment authentication, and having a revoked certificate belonging to a role authorized for new end entity enrollment.

Recommendations For PrimeKey EJBCA versions 6.x through 7.4.0, to mitigate this issue, remove any revoked client certificates from their respective roles until an upgrade to a fixed version is possible. Upgrade to version 7.4.1 or later to completely resolve the issue.