{"api_version":"1","generated_at":"2026-05-01T11:54:30+00:00","cve":"CVE-2021-3698","urls":{"html":"https://cve.report/CVE-2021-3698","api":"https://cve.report/api/cve/CVE-2021-3698.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3698","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3698"},"summary":{"title":"CVE-2021-3698","description":"A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-03-10 17:42:00","updated_at":"2022-03-14 23:59:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1992149","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1992149","refsource":"MISC","tags":[],"title":"1992149 – (CVE-2021-3698) CVE-2021-3698 cockpit: authenticates with revoked certificates","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3698","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3698","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"cockpit-project","cpe5":"cockpit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3698","qid":"159832","title":"Oracle Enterprise Linux Security Update for cockpit (ELSA-2022-2008)"},{"cve":"CVE-2021-3698","qid":"183767","title":"Debian Security Update for cockpit (CVE-2021-3698)"},{"cve":"CVE-2021-3698","qid":"240279","title":"Red Hat Update for cockpit security (RHSA-2022:2008)"},{"cve":"CVE-2021-3698","qid":"282239","title":"Fedora Security Update for cockpit (FEDORA-2022-675c38e70e)"},{"cve":"CVE-2021-3698","qid":"900771","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for cockpit (8933)"},{"cve":"CVE-2021-3698","qid":"902037","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for cockpit (8933-1)"},{"cve":"CVE-2021-3698","qid":"940570","title":"AlmaLinux Security Update for cockpit (ALSA-2022:2008)"},{"cve":"CVE-2021-3698","qid":"960127","title":"Rocky Linux Security Update for cockpit (RLSA-2022:2008)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-3698","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"cockpit","version":{"version_data":[{"version_value":"cockpit versions prior to 260"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-295"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1992149","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1992149"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality."}]}},"nvd":{"publishedDate":"2022-03-10 17:42:00","lastModifiedDate":"2022-03-14 23:59:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:cockpit-project:cockpit:*:*:*:*:*:*:*:*","versionEndExcluding":"260","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3698","Ordinal":"214040","Title":"CVE-2021-3698","CVE":"CVE-2021-3698","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3698","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}