CVE-2014-8112 — Sensitive Information Exposure in 389 Directory Server

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials9 documents8 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 45.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Port389 389-ds-base Fedoraproject 389 Directory Server Fedoraproject Fedora

Timeline

PublishedMar 10

Latest updateMay 17

Description

389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores "unhashed" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

▶NVDfedoraproject/389_directory_server43 versions+42

▶Debianport389/389-ds-base< 1.3.3.5-4+2

Also affects: Fedora 22

🔴Vulnerability Details

GHSA

GHSA-jpqj-372q-hwmp: 389 Directory Server 1↗2022-05-17

▶

OSV

CVE-2014-8112: 389 Directory Server 1↗2015-03-10

▶

CVEList

CVE-2014-8112: 389 Directory Server 1↗2015-03-10

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012) (Metasploit)↗2014-03-22

▶

📋Vendor Advisories

Red Hat

389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off↗2015-03-05

▶

Debian

CVE-2014-8112: 389-ds-base - 389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3....↗2014

▶

💬Community

Bugzilla

CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]↗2015-03-07

▶

Bugzilla

CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off↗2014-12-10

▶