CVE-2019-14823

Summary

A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to attacks such as Man in the Middle.

Affected Software

VendorProductVersion RangeStatus
DogtagJSSaffects >= 4.4.6affected
DogtagJSSaffects >= 4.5.3affected
DogtagJSSaffects >= 4.6.0affected

Weaknesses

  • CWE-358: CWE-358

ADP Enrichment

CVE Program Container

Additional References

References