Vulnerability Description
389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | 389 Directory Server | < 1.3.8.5 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:3401
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10871Issue TrackingMitigationThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/08/msg00032.htmlMailing ListThird Party Advisory
- https://pagure.io/389-ds-base/issue/49789Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3401
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10871Issue TrackingMitigationThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/08/msg00032.htmlMailing ListThird Party Advisory
- https://pagure.io/389-ds-base/issue/49789Issue TrackingThird Party Advisory
FAQ
What is CVE-2018-10871?
CVE-2018-10871 is a vulnerability with a CVSS score of 3.8 (LOW). 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores ...
How severe is CVE-2018-10871?
CVE-2018-10871 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-10871?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject 389 Directory Server, Debian Debian Linux.