Vulnerability Description
It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freeipa | Freeipa | >= 4.2.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/102136Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1487697Issue TrackingThird Party Advisory
- http://www.securityfocus.com/bid/102136Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1487697Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-12169?
CVE-2017-12169 is a vulnerability with a CVSS score of 7.5 (HIGH). It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to ...
How severe is CVE-2017-12169?
CVE-2017-12169 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12169?
Check the references section above for vendor advisories and patch information. Affected products include: Freeipa Freeipa.