CVE-2018-1080

Priority
Description
Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java
that, under certain configurations, causes the application of ACL allow and
deny rules to be reversed. If a server is configured to process allow rules
before deny rules (authz.evaluateOrder=allow,deny), then allow rules will
deny access and deny rules will grant access. This may result in an
escalation of privileges or have other unintended consequences.
Notes
Package
Upstream:released (10.6.1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (10.6.0-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected
Ubuntu 20.10 (Groovy Gorilla):not-affected
Patches:
Upstream:https://github.com/dogtagpki/pki/commit/b54975f4cac60e2f4332b08414f1b5ea4de62601
More Information

Updated: 2020-10-24 06:46:59 UTC (commit 69e225d81a6ee3e2e014950178db797c5d4e5009)