CVE-2019-10179: 
Apache Velocity engine vulnerability analysis and mitigation

A vulnerability was discovered in all pki-core 10.x.x versions affecting the Key Recovery Authority (KRA) Agent Service. The vulnerability, identified as CVE-2019-10179, was reported on March 27, 2019, and involves a Reflected Cross-Site Scripting (XSS) vulnerability in the recovery request search page. The issue specifically affects the recoveryID search field at KRA's DRM agent page in the authorize recovery tab (CVE Details, Red Hat Bugzilla).

The vulnerability stems from improper sanitization of user input in the recoveryID search field at the KRA's DRM agent page. The CVSS v3 score for this vulnerability is 4.3, indicating a relatively low severity. The web UI implements client TLS authentication, which provides some inherent protection against exploitation (Red Hat Portal).

The impact of this vulnerability is considered low due to the security measures in place. While the vulnerability allows for potential defacing through XSS attacks, the web UI's use of client TLS authentication means that stealing session cookies would not be sufficient for unauthorized access. The vulnerable page itself does not contain sensitive information (Red Hat Bugzilla).

The vulnerability has been addressed through multiple security updates. Fixes were implemented in upstream commits 8884b4344225bd6656876d9e2a58b3268e9a899b and a93a65be0b1bcf94e004ba59c6a0c8a2c086936f. Red Hat has released several security advisories addressing this issue, including RHSA-2020:4847 for RHEL 8, RHSA-2021:0819 for RHEL 7.6 Extended Update Support, RHSA-2021:0851 for RHEL 7, and RHSA-2021:0975 for RHEL 7.7 Extended Update Support (Red Hat Bugzilla).