389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Directory_server | Redhat | * | 8.2 (including) |
| Directory_server | Redhat | 7.1 (including) | 7.1 (including) |
| Directory_server | Redhat | 8.0 (including) | 8.0 (including) |
| Directory_server | Redhat | 8.1 (including) | 8.1 (including) |
| Red Hat Directory Server 8 for RHEL 5 | RedHat | redhat-ds-base-0:8.2.10-3.el5dsrv | * |
| Red Hat Enterprise Linux 6 | RedHat | 389-ds-base-0:1.2.10.2-18.el6_3 | * |
| 389-ds-base | Ubuntu | precise | * |
| 389-ds-base | Ubuntu | quantal | * |
| 389-ds-base | Ubuntu | raring | * |
| 389-ds-base | Ubuntu | saucy | * |
| 389-ds-base | Ubuntu | upstream | * |
References
- http://directory.fedoraproject.org/wiki/Release_Notes
- http://osvdb.org/83336
- http://rhn.redhat.com/errata/RHSA-2012-0997.html
- http://rhn.redhat.com/errata/RHSA-2012-1041.html
- http://secunia.com/advisories/49734
- http://www.securityfocus.com/bid/54153
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03772083
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19353
- http://directory.fedoraproject.org/wiki/Release_Notes
- http://osvdb.org/83336
- http://rhn.redhat.com/errata/RHSA-2012-0997.html
- http://rhn.redhat.com/errata/RHSA-2012-1041.html
- http://secunia.com/advisories/49734
- http://www.securityfocus.com/bid/54153
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03772083
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19353