vulnerability

Amazon Linux AMI 2: CVE-2023-5455: Security patch for ipa (Multiple Advisories)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:C/A:N)

Published

Jan 10, 2024

Added

Feb 21, 2024

Modified

May 20, 2026

Description

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Solutions

amazon-linux-ami-2-upgrade-ipa-clientamazon-linux-ami-2-upgrade-ipa-client-commonamazon-linux-ami-2-upgrade-ipa-commonamazon-linux-ami-2-upgrade-ipa-debuginfoamazon-linux-ami-2-upgrade-ipa-python-compatamazon-linux-ami-2-upgrade-ipa-serveramazon-linux-ami-2-upgrade-ipa-server-commonamazon-linux-ami-2-upgrade-ipa-server-dnsamazon-linux-ami-2-upgrade-ipa-server-trust-adamazon-linux-ami-2-upgrade-python2-ipaclientamazon-linux-ami-2-upgrade-python2-ipalibamazon-linux-ami-2-upgrade-python2-ipaserver

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report