PT-2019-1081 · Red Hat+1 · Freeipa+2
Jamison Bennett
·
Publicado
2019-11-27
·
Atualizado
2022-05-24
·
CVE-2019-10195
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
FreeIPA versions 4.6.x before 4.6.7
FreeIPA versions 4.7.x before 4.7.4
FreeIPA versions 4.8.x before 4.8.3
Description
A flaw was found in the way FreeIPA's batch processing API logged operations, including passing user passwords in clear text on FreeIPA masters. This could allow an attacker with access to system logs on FreeIPA masters to produce log file content with passwords exposed. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components.
Recommendations
For FreeIPA versions 4.6.x before 4.6.7, update to version 4.6.7 or later.
For FreeIPA versions 4.7.x before 4.7.4, update to version 4.7.4 or later.
For FreeIPA versions 4.8.x before 4.8.3, update to version 4.8.3 or later.
As a temporary workaround, consider restricting access to system logs on FreeIPA masters to minimize the risk of exploitation.
Correção
Information Disclosure
Insertion into Log File
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Freeipa
Red Hat