Vulnerability Details : CVE-2022-26355
Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deployments that have been configured to store a registration authority certificate's private key in a Trusted Platform Module (TPM) to incorrectly store that key in the Microsoft Software Key Storage Provider (MSKSP). This issue only occurs if PowerShell was used when configuring FAS to store the registration authority certificate’s private key in the TPM. It does not occur if the TPM was not selected for use or if the FAS administration console was used for configuration.
Products affected by CVE-2022-26355
- Citrix » Federated Authentication ServiceVersions from including (>=) 7.17 and up to, including, (<=) 10.6cpe:2.3:a:citrix:federated_authentication_service:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-26355
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26355
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.8
|
3.6
|
NIST |
CWE ids for CVE-2022-26355
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by:
- nvd@nist.gov (Primary)
- secure@citrix.com (Secondary)
References for CVE-2022-26355
-
https://support.citrix.com/article/CTX341587
Citrix Federated Authentication Service (FAS) Security UpdateVendor Advisory
Jump to