CVE-2008-3274

CWE-200 — Information Exposure5 documents5 sources

Severity

5.0MEDIUM

EPSS

0.7%

top 27.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Freeipa Redhat Enterprise IPA

Timeline

PublishedSep 12

Latest updateMay 1

Description

The default configuration of Red Hat Enterprise IPA 1.0.0 and FreeIPA before 1.1.1 places ldap:///anyone on the read ACL for the krbMKey attribute, which allows remote attackers to obtain the Kerberos master key via an anonymous LDAP query.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDredhat/freeipa1.1.0+2

▶NVDredhat/enterprise_ipa1.0.0

Patches

Patch: www.freeipa.org ↗Patch: www.freeipa.org ↗

🔴Vulnerability Details

GHSA

GHSA-8w34-c24h-wvp3: The default configuration of Red Hat Enterprise IPA 1↗2022-05-01

▶

CVEList

CVE-2008-3274: The default configuration of Red Hat Enterprise IPA 1↗2008-09-12

▶

📋Vendor Advisories

Red Hat

IPA Kerberos master password disclosure↗2008-09-10

▶

💬Community

Bugzilla

CVE-2008-3274 IPA Kerberos master password disclosure↗2008-08-04

▶