ID CVE-2010-3282
Summary 389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext when changing cn=config:nsslapd-rootpw, which might allow local users to obtain sensitive information by reading the log.
References
Vulnerable Configurations
  • cpe:2.3:a:hp:hp-ux_directory_server:*:*:*:*:*:*:*:*
    cpe:2.3:a:hp:hp-ux_directory_server:*:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:redhat_directory_server:*:*:*:*:*:hp-ux:*:*
    cpe:2.3:a:redhat:redhat_directory_server:*:*:*:*:*:hp-ux:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:-:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:-:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.1.46:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.1.46:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc4:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.5:rc4:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a4:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:a4:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc1:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc1:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc2:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc2:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc3:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc6:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc6:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc7:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6:rc7:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:fedoraproject:389_directory_server:1.2.7:alpha3:*:*:*:*:*:*
    cpe:2.3:a:fedoraproject:389_directory_server:1.2.7:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:redhat:directory_server:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:directory_server:8.0:*:*:*:*:*:*:*
CVSS
Base: 1.9 (as of 29-01-2020 - 15:27)
Impact:
Exploitability:
CWE CWE-312
CAPEC
  • Retrieve Embedded Sensitive Data
    An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:M/Au:N/C:P/I:N/A:N
oval via4
accepted 2015-04-20T04:02:32.625-04:00
class vulnerability
contributors
  • name Chandan M C
    organization Hewlett-Packard
  • name Sushant Kumar Singh
    organization Hewlett-Packard
  • name Sushant Kumar Singh
    organization Hewlett-Packard
  • name Prashant Kumar
    organization Hewlett-Packard
  • name Mike Cokus
    organization The MITRE Corporation
description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
family unix
id oval:org.mitre.oval:def:6914
status accepted
submitted 2010-10-25T10:49:54.000-05:00
title HP-UX Directory Server and Red Hat Directory Server for HP-UX, Local Disclosure of Information, Privilege Escalation
version 47
refmap via4
confirm
Last major update 29-01-2020 - 15:27
Published 09-01-2020 - 21:15
Last modified 29-01-2020 - 15:27
Back to Top