389-ds-base up to 1.4.1.2 Verbose Mode insufficiently protected credentials
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.8 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as problematic has been discovered in 389-ds-base up to 1.4.1.2. The affected element is an unknown function of the component Verbose Mode. The manipulation results in insufficiently protected credentials. This vulnerability is identified as CVE-2019-10224. The attack is only possible with local access. There is not any exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability classified as problematic has been found in 389-ds-base up to 1.4.1.2. Affected is an unknown functionality of the component Verbose Mode. The manipulation with an unknown input leads to a insufficiently protected credentials vulnerability. CWE is classifying the issue as CWE-522. The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. This is going to have an impact on confidentiality. CVE summarizes:
A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
The weakness was released 11/25/2019 as not defined bug report (Bugzilla). The advisory is shared for download at bugzilla.redhat.com. This vulnerability is traded as CVE-2019-10224 since 03/27/2019. The attack needs to be approached locally. The successful exploitation needs a authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1552.
Upgrading to version 1.4.1.3 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.8VulDB Meta Temp Score: 3.8
VulDB Base Score: 2.8
VulDB Temp Score: 2.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.3
NVD Vector: 🔍
CNA Base Score: 4.3
CNA Vector (Red Hat, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Insufficiently protected credentialsCWE: CWE-522
CAPEC: 🔍
ATT&CK: 🔍
Physical: Yes
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: 389-ds-base 1.4.1.3
Timeline
03/27/2019 🔍11/25/2019 🔍
11/26/2019 🔍
02/27/2024 🔍
Sources
Advisory: DLA 3399-1Status: Not defined
CVE: CVE-2019-10224 (🔍)
GCVE (CVE): GCVE-0-2019-10224
GCVE (VulDB): GCVE-100-146196
Entry
Created: 11/26/2019 06:58Updated: 02/27/2024 08:35
Changes: 11/26/2019 06:58 (39), 11/26/2019 07:03 (11), 02/27/2024 08:31 (3), 02/27/2024 08:35 (19)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.