CVE-2023-1055

2023-02-2700:00:00

ubuntu.com

rhds

ldap

userpassword

usercertificate

sensitive information

local account

cockpit-389-ds

processes

hashed passwords

data confidentiality

unix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

13.3%

JSON

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries
to decode the userPassword attribute instead of the userCertificate
attribute which could lead into sensitive information leaked. An attacker
with a local account where the cockpit-389-ds is running can list the
processes and display the hashed passwords. The highest threat from this
vulnerability is to data confidentiality.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarch389-ds-base< anyUNKNOWN
ubuntu20.04noarch389-ds-base< anyUNKNOWN
ubuntu22.04noarch389-ds-base< anyUNKNOWN
ubuntu24.04noarch389-ds-base< anyUNKNOWN
ubuntu16.04noarch389-ds-base< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	389-ds-base	< any	UNKNOWN
ubuntu	20.04	noarch	389-ds-base	< any	UNKNOWN
ubuntu	22.04	noarch	389-ds-base	< any	UNKNOWN
ubuntu	24.04	noarch	389-ds-base	< any	UNKNOWN
ubuntu	16.04	noarch	389-ds-base	< any	UNKNOWN