ID CVE-2012-2746
Summary 389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:directory_server:7.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:8.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:-:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:8:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc4:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc4:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a4:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a4:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc6:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc6:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc7:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc7:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.7:alpha3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.7:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:rc2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.9.9:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.9.9:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:alpha8:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:alpha8:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.7:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.7:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.1.46:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.1.46:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.11:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.10.11:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.11.5:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 19-09-2017 - 01:34)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK HIGH SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:H/Au:S/C:P/I:N/A:N
oval via4
accepted 2015-04-20T04:01:01.317-04:00
class vulnerability
contributors
  • name Ganesh Manal
    organization Hewlett-Packard
  • name Prashant Kumar
    organization Hewlett-Packard
  • name Mike Cokus
    organization The MITRE Corporation
description 389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.
family unix
id oval:org.mitre.oval:def:19241
status accepted
submitted 2013-11-22T11:43:28.000-05:00
title HP-UX Directory Server, Remote Disclosure of Information
version 42
redhat via4
advisories
  • bugzilla
    id 833482
    title CVE-2012-2746 rhds/389: plaintext password disclosure in audit log
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment 389-ds-base is earlier than 0:1.2.10.2-18.el6_3
          oval oval:com.redhat.rhsa:tst:20120997005
        • comment 389-ds-base is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554010
      • AND
        • comment 389-ds-base-devel is earlier than 0:1.2.10.2-18.el6_3
          oval oval:com.redhat.rhsa:tst:20120997007
        • comment 389-ds-base-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554006
      • AND
        • comment 389-ds-base-libs is earlier than 0:1.2.10.2-18.el6_3
          oval oval:com.redhat.rhsa:tst:20120997009
        • comment 389-ds-base-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554008
    rhsa
    id RHSA-2012:0997
    released 2012-06-20
    severity Moderate
    title RHSA-2012:0997: 389-ds-base security update (Moderate)
  • rhsa
    id RHSA-2012:1041
rpms
  • 389-ds-base-0:1.2.10.2-18.el6_3
  • 389-ds-base-devel-0:1.2.10.2-18.el6_3
  • 389-ds-base-libs-0:1.2.10.2-18.el6_3
refmap via4
bid 54153
confirm
hp
  • HPSBUX02881
  • SSRT101189
osvdb 83329
secunia 49734
xf 389directory-logging-info-disclosure(76595)
Last major update 19-09-2017 - 01:34
Published 03-07-2012 - 16:40
Back to Top