CVE-2023-5455: 
NixOS vulnerability analysis and mitigation

A Cross-site request forgery (CSRF) vulnerability was discovered in ipa/session/login_password endpoint in all supported versions of IPA (CVE-2023-5455). The vulnerability was identified during community penetration testing and disclosed on January 10, 2024 (FreeIPA Release Notes).

The vulnerability exists because certain HTTP endpoints in FreeIPA do not ensure proper CSRF protection. The system uses HTTP Referer header for CSRF protection but it is not applied universally, specifically the URI ipa/session/login_password is not protected. The vulnerability has a CVSS v3.1 base score of 6.5 (MODERATE) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

An attacker could exploit this vulnerability to trick users into submitting requests that perform actions on their behalf, potentially leading to a loss of confidentiality and system integrity. However, due to implementation details, the flaw cannot be used for reflection of a cookie representing an already logged-in user - an attacker would always have to go through a new authentication attempt (FreeIPA Release Notes).

The vulnerability has been patched in multiple FreeIPA versions: 4.6.10, 4.9.14, 4.10.3, and 4.11.1. The fix involves implementing proper CSRF protection by checking the HTTP Referer header on all requests (FreeIPA Release Notes). Red Hat has released security updates for affected versions across RHEL 7, 8, and 9 platforms (Red Hat CVE).

The FreeIPA team acknowledged and thanked Egor Uvarov for discovering and reporting this security issue. Red Hat Product Security assessed the overall severity of this issue as MODERATE (FreeIPA Release Notes).