PT-2022-10608 · Cockpit+7 · Cockpit+7

Guilherme De Almeida Suckevicz

Published

2022-03-08

Updated

2026-01-29

CVE-2021-3698

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Cockpit versions prior to 260

Description A flaw was found in the way Cockpit handles certificate verification performed by the System Security Services Daemon (SSSD), allowing client certificates to authenticate successfully regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this issue is to confidentiality.

Recommendations For versions prior to 260, update to version 260 or later to resolve the issue. As a temporary workaround, consider restricting the use of client certificates until a patch is available.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALSA-2022:2008

ALT-PU-2022-3242

CESA-2022_2008

CVE-2021-3698

MGASA-2022-0202

RHSA-2022:2008

RHSA-2022_2008

RLSA-2022:2008

Affected Products

Alt Linux

Almalinux

Centos

Cockpit

Debian

Red Hat

Red Os

Rocky Linux

PT-2022-10608 · Cockpit+7 · Cockpit+7

CVE-2021-3698

Weakness Enumeration

Related Identifiers

Affected Products

References · 34