{
  "threat_severity" : "Low",
  "public_date" : "2020-02-03T00:00:00Z",
  "bugzilla" : {
    "description" : "pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab",
    "id" : "1695901",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1695901"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "A vulnerability was found in all pki-core 10.x.x versions, where the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code.", "It was found that the Key Recovery Authority (KRA) Agent Service did not properly sanitize recovery request search page, enabling a Reflected Cross Site Scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code." ],
  "statement" : "This vulnerability is rated Low : the web UI uses client TLS authentication, therefore stealing session cookies will not be sufficient for unauthorized access. The vulnerable page itself does not contain secrets.",
  "acknowledgement" : "This issue was discovered by Pritam Singh (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-03-16T00:00:00Z",
    "advisory" : "RHSA-2021:0851",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "pki-core-0:10.5.18-12.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support",
    "release_date" : "2021-03-15T00:00:00Z",
    "advisory" : "RHSA-2021:0819",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.6",
    "package" : "pki-core-0:10.5.9-15.el7_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support",
    "release_date" : "2021-03-23T00:00:00Z",
    "advisory" : "RHSA-2021:0975",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.7",
    "package" : "pki-core-0:10.5.16-7.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4847",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "pki-core:10.6-8030020200911215836.5ff1562f"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4847",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "pki-deps:10.6-8030020200527165326.30b713e6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "pki-core",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10179\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10179" ],
  "name" : "CVE-2019-10179",
  "csaw" : false
}