CVE-2012-2746

Current Description

389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.

Basic Data

PublishedJuly 03, 2012
Last ModifiedSeptember 19, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-310
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:H/Au:S/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score2.1
SeverityLOW
Exploitability Score3.9
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatDirectory Server7.1*******
    2.3ApplicationRedhatDirectory Server8.0*******
    2.3ApplicationRedhatDirectory Server8.1*******
    2.3ApplicationRedhatDirectory Server********8.2
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationFedoraproject389 Directory Server1.2.1*******
    2.3ApplicationFedoraproject389 Directory Server1.2.2*******
    2.3ApplicationFedoraproject389 Directory Server1.2.3*******
    2.3ApplicationFedoraproject389 Directory Server1.2.5*******
    2.3ApplicationFedoraproject389 Directory Server1.2.5rc1******
    2.3ApplicationFedoraproject389 Directory Server1.2.5rc2******
    2.3ApplicationFedoraproject389 Directory Server1.2.5rc3******
    2.3ApplicationFedoraproject389 Directory Server1.2.5rc4******
    2.3ApplicationFedoraproject389 Directory Server1.2.6*******
    2.3ApplicationFedoraproject389 Directory Server1.2.6a2******
    2.3ApplicationFedoraproject389 Directory Server1.2.6a3******
    2.3ApplicationFedoraproject389 Directory Server1.2.6a4******
    2.3ApplicationFedoraproject389 Directory Server1.2.6rc1******
    2.3ApplicationFedoraproject389 Directory Server1.2.6rc2******
    2.3ApplicationFedoraproject389 Directory Server1.2.6rc3******
    2.3ApplicationFedoraproject389 Directory Server1.2.6rc6******
    2.3ApplicationFedoraproject389 Directory Server1.2.6rc7******
    2.3ApplicationFedoraproject389 Directory Server1.2.6.1*******
    2.3ApplicationFedoraproject389 Directory Server1.2.7alpha3******
    2.3ApplicationFedoraproject389 Directory Server1.2.7.5*******
    2.3ApplicationFedoraproject389 Directory Server1.2.8alpha1******
    2.3ApplicationFedoraproject389 Directory Server1.2.8alpha2******
    2.3ApplicationFedoraproject389 Directory Server1.2.8alpha3******
    2.3ApplicationFedoraproject389 Directory Server1.2.8rc1******
    2.3ApplicationFedoraproject389 Directory Server1.2.8rc2******
    2.3ApplicationFedoraproject389 Directory Server1.2.8.1*******
    2.3ApplicationFedoraproject389 Directory Server1.2.8.2*******
    2.3ApplicationFedoraproject389 Directory Server1.2.8.3*******
    2.3ApplicationFedoraproject389 Directory Server1.2.9.9*******
    2.3ApplicationFedoraproject389 Directory Server1.2.10alpha8******
    2.3ApplicationFedoraproject389 Directory Server1.2.10rc1******
    2.3ApplicationFedoraproject389 Directory Server1.2.10.1*******
    2.3ApplicationFedoraproject389 Directory Server1.2.10.2*******
    2.3ApplicationFedoraproject389 Directory Server1.2.10.3*******
    2.3ApplicationFedoraproject389 Directory Server1.2.10.4*******
    2.3ApplicationFedoraproject389 Directory Server1.2.10.7*******
    2.3ApplicationFedoraproject389 Directory Server1.2.11.1*******
    2.3ApplicationFedoraproject389 Directory Server********1.2.11.5

Vulnerable Software List

VendorProductVersions
Redhat Directory Server *, 7.1, 8.0, 8.1
Fedoraproject 389 Directory Server *, 1.2.1, 1.2.10, 1.2.10.1, 1.2.10.2, 1.2.10.3, 1.2.10.4, 1.2.10.7, 1.2.11.1, 1.2.2, 1.2.3, 1.2.5, 1.2.6, 1.2.6.1, 1.2.7, 1.2.7.5, 1.2.8, 1.2.8.1, 1.2.8.2, 1.2.8.3, 1.2.9.9

References

NameSourceURLTags
http://directory.fedoraproject.org/wiki/Release_Noteshttp://directory.fedoraproject.org/wiki/Release_NotesCONFIRMVendor Advisory
RHSA-2012:0997http://rhn.redhat.com/errata/RHSA-2012-0997.htmlREDHATVendor Advisory
RHSA-2012:1041http://rhn.redhat.com/errata/RHSA-2012-1041.htmlREDHATVendor Advisory
49734http://secunia.com/advisories/49734SECUNIAVendor Advisory
83329http://www.osvdb.org/83329OSVDB
54153http://www.securityfocus.com/bid/54153BID
https://bugzilla.redhat.com/show_bug.cgi?id=833482https://bugzilla.redhat.com/show_bug.cgi?id=833482CONFIRMVendor Advisory
389directory-logging-info-disclosure(76595)https://exchange.xforce.ibmcloud.com/vulnerabilities/76595XF
https://fedorahosted.org/389/ticket/365https://fedorahosted.org/389/ticket/365CONFIRMVendor Advisory
SSRT101189https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03772083HP
oval:org.mitre.oval:def:19241https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19241OVAL