Skip to main content
Skip table of contents

Archive of EJBCA security issues

We maintain the following historical list of EJBCA security issues which have been fixed and submitted as CVEs (Common Vulnerabilities and Exposures).

For issues affecting supported versions of EJBCA, the list includes the CVE identifier, a link to the full security advisory, and relevant release notes. Additionally, CVEs affecting unsupported versions are also listed with links to release notes.

To learn more about our security posture, refer to Keyfactor Trust Center.

2024

CVE-2024-36066

EJBCA standalone CMP CLI client - View EJBCA Security Advisory

Resolved in product version: EJBCA 8.3.1

2023

CVE-2023-34196 

Partial denial of service attack on certificate distribution servlet /ejbca/ra/cert - View EJBCA Security Advisory

Resolved in product version: EJBCA 8.0

Security issues in EJBCA versions no longer supported

2022

CVE-2022-42954

XSS Vulnerability in EJBCA RA Web

Resolved in EJBCA version: EJBCA 7.10.0.1

CVE-2022-39834

XSS Vulnerability in EJBCA CA UI

Resolved in EJBCA version: EJBCA 7.10.0.1

CVE-2022-34831 

ACME issuance of certificates with non-validated domains

Resolved in EJBCA version: EJBCA 7.6.0

2021

CVE-2021-40089

General Purpose Custom Publisher able to Run Despite External Scripts Being Disabled

Resolved in EJBCA version: EJBCA 7.6.0

CVE-2021-40088

CMP Revocation Ignores Multi Tenancy Constraints 

Resolved in EJBCA version: EJBCA 7.6.0

CVE-2021-40087

Enrollment Secrets Logged in Audit Log

Resolved in EJBCA version: EJBCA 7.6.0

CVE-2021-40086

Enrollment Secrets Reflected in UI

Resolved in EJBCA version: EJBCA 7.6.0

2020

CVE-2020-28942

Domain Security over EST 

Resolved in EJBCA versions: EJBCA 7.4.3, EJBCA 7.4.1.1

CVE-2020-25276

Revocation check not performed on est client certificate

Resolved in EJBCA version: EJBCA 7.4.1 

CVE-2020-11631

Authentication Bypass Vulnerability

Resolved in EJBCA versions: EJBCA 7.3.1.2, EJBCA 6.15.2.6

CVE-2020-11630

Deserialization Bug

Resolved in EJBCA versions: EJBCA 7.3.1.2, EJBCA 6.15.2.6

CVE-2020-11629

Unchecked Certificate Uploads in Validator

Resolved in EJBCA versions: EJBCA 7.3.1.2, EJBCA 6.15.2.6

CVE-2020-11628

Protocol Access Control Bypass

Resolved in EJBCA versions: EJBCA 7.3.1.2, EJBCA 6.15.2.6

CVE-2020-11627

XSS and CSRF Issues

Resolved in EJBCA versions: EJBCA 7.3.1.2, EJBCA 6.15.2.6

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close