Information disclosure in 389-ds-base - CVE-2019-10224
Published: November 26, 2019
Vulnerability identifier: #VU23001
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10224
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: 389 Directory Server Project
Affected software:
389-ds-base
389-ds-base
Detailed vulnerability description
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists within the dscreate and dsconf commands in 389-ds-base due to excessive data output, when executed in verbose mode. A local user can gain access to sensitive information, such as the Directory Manager password.
Successful exploitation of the vulnerability requires that the attacker can see the screen or record terminal session.
How to mitigate CVE-2019-10224
Install updates from vendor's website.