Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which comprise the Certificate Authority (CA) subsystem.
About Vulnerability (CVE-2022-2414)
A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
There is no known mitigation for this issue, please update the affected package as soon as possible.
|Red Hat Certificate System 10||pki-core||Affected|
|Red Hat Certificate System 9||pki-core||Affected|
|Red Hat Enterprise Linux 6||pki-core||Out of support scope|
|Red Hat Enterprise Linux 7||pki-core||Fixed|
|Red Hat Enterprise Linux 8||pki-core:10.6||Fixed|
|Red Hat Enterprise Linux 9||pki-core||Fixed|
The bugs have been discovered by Egor Dimitrenko (Positive Technologies)
Yes, the exploit code is available. You can check the exploit here.