Ejbca
CVE-2020-11630
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. In several sections of code, the verification of serialized objects sent between nodes (connected via the Peers protocol) allows insecure objects to be deserialized.
AnalysisAI
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. In several sections of code, the verification of serialized objects sent between nodes (connected via the Peers protocol) allows insecure objects to be deserialized. Affected products include: Primekey Ejbca. Version information: before 6.15.2.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated high severity (CVSS 8.8), this vulnerabil
In the Keyfactor EJBCA before 8.0.0, the RA web certificate distribution servlet /ejbca/ra/cert allows partial denial of
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. Rated high severity (CVSS 7.3), this vulnerability i
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated high severity (CVSS 7.2), this vulnerabil
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated medium severity (CVSS 6.5), this vulnerab
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated medium severity (CVSS 6.1), this vulnerab
An issue was discovered in PrimeKey EJBCA before 7.6.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely
An issue was discovered in EJBCA before 6.15.2.6 and 7.x before 7.3.1.2. Rated medium severity (CVSS 5.3), this vulnerab
The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Rated medium severity (CVSS 5.1), this vulnerabil
The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Rated medium severity (CVSS 5.1), this vulnerabil
An issue exists in PrimeKey EJBCA before 7.4.3 when enrolling with EST while proxied through an RA over the Peers protoc
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today