CVE-2012-2678

Name of the Vulnerable Software and Affected Versions 389 Directory Server versions prior to 1.2.11.6 389-ds-base-debuginfo versions 1.2.10.2 389-ds-base versions 1.2.10.2 389-ds-base-libs versions 1.2.10.2 389-ds-base-devel versions 1.2.10.2

Description The issue allows remote attackers to read plaintext passwords via the unhashed#user#password attribute after a LDAP user's password has been changed and before the server has been reset. Exploitation of the vulnerabilities can be carried out remotely by an attacker who has passed the authentication procedure, potentially leading to a breach of protected information confidentiality.

Recommendations For 389 Directory Server versions prior to 1.2.11.6, update to version 1.2.11.6 or later. For 389-ds-base-debuginfo versions 1.2.10.2, update to a version that is not affected by the vulnerability. For 389-ds-base versions 1.2.10.2, update to a version that is not affected by the vulnerability. For 389-ds-base-libs versions 1.2.10.2, update to a version that is not affected by the vulnerability. For 389-ds-base-devel versions 1.2.10.2, update to a version that is not affected by the vulnerability. As a temporary workaround, consider restricting access to the unhashed#user#password attribute until a patch is available.