CVE-2023-1055

2023-02-2722:15:09

Debian Security Bug Tracker

security-tracker.debian.org

vulnerability

rhds

ldap

userpassword

data confidentiality

unix

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.

OSVersionArchitecturePackageVersionFilename
Debian12all389-ds-base<= 2.3.1+dfsg1-1389-ds-base_2.3.1+dfsg1-1_all.deb
Debian11all389-ds-base<= 1.4.4.11-2389-ds-base_1.4.4.11-2_all.deb
Debian999all389-ds-base< 2.3.4+dfsg1-1389-ds-base_2.3.4+dfsg1-1_all.deb
Debian13all389-ds-base< 2.3.4+dfsg1-1389-ds-base_2.3.4+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	389-ds-base	<= 2.3.1+dfsg1-1	389-ds-base_2.3.1+dfsg1-1_all.deb
Debian	11	all	389-ds-base	<= 1.4.4.11-2	389-ds-base_1.4.4.11-2_all.deb
Debian	999	all	389-ds-base	< 2.3.4+dfsg1-1	389-ds-base_2.3.4+dfsg1-1_all.deb
Debian	13	all	389-ds-base	< 2.3.4+dfsg1-1	389-ds-base_2.3.4+dfsg1-1_all.deb