An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
The vulnerability, classified as CWE-287 (Improper Authentication), allows a remote attacker to bypass authorization control mechanisms in ACME or SCEP provisioners in Step CA. An attacker can thus trick the server into issuing certificates without completing the required identity verification steps provided by the respective protocol. The attack is possible remotely, without authentication, and its scope of impact extends beyond the directly vulnerable component (S:C in the CVSS vector).
An attacker can obtain fraudulent digital certificates for arbitrary domains or identities without legitimate authorization, leading to serious compromise of PKI infrastructure integrity and potential impersonation of trusted services.
Apply patches available from the vendor according to references — detailed information about the patched version can be found in the security advisory at https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p
Versions indicated in vendor references (smallstep/certificates — ACME and SCEP provisioner components in Step CA)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N