CVE-2018-10871

Public on 2018-07-18
Modified on 2020-01-15
Description
By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.
Severity
Medium severity
Medium
CVSS v3 Base Score
3.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 389-ds-base 2020-01-14 ALAS-2020-1334 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
NVD CVSSv2 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
NVD CVSSv3 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H