The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of OpenCA PKI

vulnerability alert 13211

OpenCA PKI: memory leak via OpenSSL

Synthesis of the vulnerability

An attacker can create a memory leak in the OpenSSL module of OpenCA PKI, in order to trigger a denial of service.
Impacted products: OpenCA PKI.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 05/08/2013.
Identifiers: VIGILANCE-VUL-13211.

Description of the vulnerability

The OpenCA PKI product has an OpenSSL module.

However, the memory allocated by this module is not always freed.

An attacker can therefore create a memory leak in the OpenSSL module of OpenCA PKI, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2008-0556

OpenCA: Cross Site Request Forgery

Synthesis of the vulnerability

When OpenCA administrator sees a malicious web page, a certificate can be created.
Impacted products: OpenCA PKI.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 13/02/2008.
Identifiers: AKLINK-SA-2008-001, CVE-2008-0556, VIGILANCE-VUL-7596, VU#264385.

Description of the vulnerability

The OpenCA tool provides a web site where administrator can generate and handle certificates.

However, the origin of the HTTP query is not checked. An attacker can therefore create a HTML page containing an image whose uri is an OpenCA command. When administrator will display this HTML page, the command will be executed during the image loading trial.

An attacker can for example force administrator to generate a certificate while he browses a malicious HTML page.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about OpenCA PKI: