CVE Vulnerabilities

CVE-2018-10871

Cleartext Storage of Sensitive Information

Published: Jul 18, 2018 | Modified: Nov 21, 2024
CVSS 3.x
7.2
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
3.8 MODERATE
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Ubuntu
MEDIUM

389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.

Weakness

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Affected Software

Name Vendor Start Version End Version
389_directory_server Fedoraproject * 1.3.8.5 (excluding)
389_directory_server Fedoraproject 1.4.0.0 (including) 1.4.0.12 (excluding)
Red Hat Enterprise Linux 8 RedHat 389-ds:1.4-8010020190903200205.eb48df33 *
389-ds-base Ubuntu artful *
389-ds-base Ubuntu bionic *
389-ds-base Ubuntu cosmic *
389-ds-base Ubuntu esm-apps/bionic *
389-ds-base Ubuntu esm-apps/xenial *
389-ds-base Ubuntu trusty *
389-ds-base Ubuntu upstream *
389-ds-base Ubuntu xenial *

Potential Mitigations

References