Lucene search

Veracode Vulnerability DatabaseVERACODE:45020

HistoryJan 13, 2024 - 5:37 a.m.

Information Exposure

2024-01-1305:37:51

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

389-ds-base

information exposure

ldap

userpassword

usercertificate

sensitive information

cockpit-389-ds

hashed passwords

vulnerability

exploitation

software

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

389-ds-base is vulnerable to Information Exposure. The vulnerability is due to LDAP mistakenly decoding the userPassword attribute instead of the userCertificate attribute, potentially leading to the leakage of sensitive information. An attacker with local access to a system running cockpit-389-ds could exploit this flaw to view hashed passwords.

CPENameOperatorVersion
389-ds-base:sideq1.4.4.8-1
389-ds-base:sideq1.4.4.16-1
389-ds-base:sideq1.4.4.8-1
389-ds-base:sideq1.4.4.16-1

Name	Operator	Version
389-ds-base:sid	eq	1.4.4.8-1
389-ds-base:sid	eq	1.4.4.16-1
389-ds-base:sid	eq	1.4.4.8-1
389-ds-base:sid	eq	1.4.4.16-1

References

bugzilla.redhat.com/show_bug.cgi?id=2173517#c0

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZOYQ5TCV6ZEPMDV4CSLK3KINAAO4SRI/

security-tracker.debian.org/tracker/CVE-2023-1055

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for VERACODE:45020