CVE-2012-2678
rhds/389: plaintext password disclosure flaw
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.
"389 Directory Server" antes de v1.2.11.6 (también conocido como Red Hat Directory Server antes de v8.2.10-3), cuando la contraseña de un usuario de LDAP ha cambiado y anyes de que el servidor haya sido reiniciado, permite a atacantes remotos leer contraseñas en claro a través del atributo unhashed#user#password.
Red Hat Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration. A flaw was found in the way Red Hat Directory Server handled password changes. If an LDAP user had changed their password, and the directory server had not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute. It was found that when the password for an LDAP user was changed, and audit logging was enabled, the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on", prevents Red Hat Directory Server from writing plain text passwords to the audit log. This option can be configured in "/etc/dirsrv/slapd-[ID]/dse.ldif".
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-05-14 CVE Reserved
- 2012-06-20 CVE Published
- 2024-08-06 CVE Updated
- 2025-07-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-310: Cryptographic Issues
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://directory.fedoraproject.org/wiki/Release_Notes | X_refsource_confirm | |
| http://osvdb.org/83336 | Vdb Entry | |
| http://www.securityfocus.com/bid/54153 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19353 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2012-0997.html | 2017-09-19 | |
| http://rhn.redhat.com/errata/RHSA-2012-1041.html | 2017-09-19 | |
| http://secunia.com/advisories/49734 | 2017-09-19 | |
| https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03772083 | 2017-09-19 | |
| https://access.redhat.com/security/cve/CVE-2012-2678 | 2012-06-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=829933 | 2012-06-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Directory Server Search vendor "Redhat" for product "Directory Server" | <= 8.2 Search vendor "Redhat" for product "Directory Server" and version " <= 8.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Directory Server Search vendor "Redhat" for product "Directory Server" | 7.1 Search vendor "Redhat" for product "Directory Server" and version "7.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Directory Server Search vendor "Redhat" for product "Directory Server" | 8.0 Search vendor "Redhat" for product "Directory Server" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Directory Server Search vendor "Redhat" for product "Directory Server" | 8.1 Search vendor "Redhat" for product "Directory Server" and version "8.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | <= 1.2.11.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version " <= 1.2.11.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.1 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.2 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.3 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.5" | rc1 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.5" | rc2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.5" | rc3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.5" | rc4 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | a2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | a3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | a4 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | rc1 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | rc2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | rc3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | rc6 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6" | rc7 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.6.1 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.6.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.7 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.7" | alpha3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.7.5 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.7.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8" | alpha1 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8" | alpha2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8" | alpha3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8" | rc1 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8" | rc2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8.1 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8.2 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.8.3 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.8.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.9.9 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.9.9" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10" | alpha8 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10" | rc1 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10.1 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10.2 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10.3 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10.4 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10.4" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.10.7 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.10.7" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | 1.2.11.1 Search vendor "Fedoraproject" for product "389 Directory Server" and version "1.2.11.1" | - |
Affected
| ||||||