{"id":"BIT-ejbca-2020-25276","details":"An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.)","aliases":["CVE-2020-25276"],"modified":"2025-04-03T14:40:37.652Z","published":"2024-03-06T10:52:38.396Z","database_specific":{"cpes":["cpe:2.3:a:primekey:ejbca:*:*:*:*:enterprise:*:*:*"],"severity":"High"},"references":[{"type":"WEB","url":"https://support.primekey.com/news/posts/ejbca-security-advisory-revocation-check-not-performed-on-est-client-certificate"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25276"}],"affected":[{"package":{"name":"ejbca","ecosystem":"Bitnami","purl":"pkg:bitnami/ejbca"},"ranges":[{"type":"SEMVER","events":[{"introduced":"7.0.0"},{"fixed":"7.4.1"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/ejbca/BIT-ejbca-2020-25276.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}],"schema_version":"1.7.3"}