How to fix CVE-2023-5455?

Within 30 days: Identify affected systems running ipa/session/login_password in all supported and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.

Is Enterprise Linux For Power Little Endian Eus affected by CVE-2023-5455?

Organizations using ipa/session/login_password in all supported should be aware of notable risk from CVE-2023-5455, a cross-site request forgery vulnerability rated CVSS 6.5. Users could be tricked into performing unintended actions.

CVE-2023-5455

MEDIUM

2024-01-10 [email protected]

6.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 18, 2026 - 04:45 vuln.today

CVE Published

Jan 10, 2024 - 13:15 nvd

MEDIUM 6.5

Tags

CSRF Enterprise Linux For Power Little Endian Eus Enterprise Linux For Power Big Endian Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Enterprise Linux For Arm 64 Eus Codeready Linux Builder Enterprise Linux Server For Ibm Z Systems Enterprise Linux Update Services For Sap Solutions Fedora Enterprise Linux Desktop Enterprise Linux Server Aus Enterprise Linux For Scientific Computing Enterprise Linux Server Enterprise Linux For Ibm Z Systems Eus Enterprise Linux Enterprise Linux For Power Little Endian Enterprise Linux Server Tus Freeipa Enterprise Linux Workstation Enterprise Linux Eus Enterprise Linux For Ibm Z Systems Enterprise Linux Server Update Services For Sap Solutions

Description

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

Analysis

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.

Technical Context

Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).

Affected Products

Affected products: Freeipa Freeipa

Remediation

Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +32

POC: 0

CVE-2023-5455 vulnerability details – vuln.today

Back

CVE-2023-5455

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code