CVE-2019-10221: 
Apache Velocity engine vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the pki-ca module of the pki-core server, identified as CVE-2019-10221. The vulnerability was reported on July 23, 2019, and was caused by missing sanitization of GET URL parameters in the getcookies?url= endpoint in CA (Red Hat Portal, Bugzilla Report).

The vulnerability exists in the getcookies?url= endpoint of the Certificate Authority (CA) component, stemming from inadequate sanitization of GET URL parameters. The severity was rated as Low due to the web UI's implementation of client TLS authentication, which means that stealing session cookies would not be sufficient for unauthorized access (Bugzilla Report).

The security impact of this vulnerability was considered limited. While the flaw could potentially be used for defacing attacks, the web UI's use of client TLS authentication significantly reduces the risk. The vulnerable page itself does not contain sensitive information, and stolen session cookies would not provide unauthorized access (Bugzilla Report).

The vulnerability was addressed in pki-core version 10.9.0. An upstream fix was implemented and can be found in the GitHub repository. Red Hat released several security advisories to address this issue across different products, including RHSA-2020:4847, RHSA-2021:0819, RHSA-2021:0851, and RHSA-2021:0975 (Bugzilla Report, Red Hat Portal).