March 6, 2022
Dear customers and partners,
PrimeKey has released an update to address a vulnerability in SignServer found as a part of our internal testing.
Issue summary
During testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step.
Severity
Low. Only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log.
Who is potentially affected?
Customers with systems set up with many users with administrative access and/or a compromised administrative account
Who is not affected?
Customers confident that any user with administrative access to SignServer is fully reliable
Mitigations
This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web are also fixed. Customers are advised to upgrade as soon as possible.
You can review your audit log for worker name updates to check if any suspicious worker name updates have been performed.
Additional information
Should you have any additional questions, please reach out to support@keyfactor.com.