CVE-2021-40086

Name of the Vulnerable Software and Affected Versions PrimeKey EJBCA versions prior to 7.6.0

Description An issue was discovered where the enrollment secret for SCEP, CMP, EST, and Auto-enrollment aliases is reflected on a page, accessible to administrators. Although the secret is hidden from direct view, it can be revealed by checking the page source.

Recommendations For versions prior to 7.6.0, update to version 7.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the configuration page for SCEP, CMP, EST, and Auto-enrollment aliases to minimize the risk of the enrollment secret being exposed.