CVE-2018-10871

Public on 2018-07-18

Modified on 2020-01-15

Description

By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.

Severity

Medium

CVSS v3 Base Score

3.8

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	389-ds-base	2020-01-14	ALAS-2020-1334	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	3.8	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
NVD	CVSSv2	4.0	AV:N/AC:L/Au:S/C:P/I:N/A:N
NVD	CVSSv3	7.2	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2018-10871 Mitre: CVE-2018-10871