Inclusion of Sensitive Information in Log Files in FreeIPA - CVE-2019-10195
Published: March 17, 2020
Vulnerability identifier: #VU26102
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-10195
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: freeipa.org
Affected software:
FreeIPA
FreeIPA
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the way FreeIPA's batch is processing API logged operations that includes storing passwords in clear text on FreeIPA masters. A local user with access to system logs on FreeIPA masters can use this vulnerability to produce log file content with passwords exposed.
How to mitigate CVE-2019-10195
Install updates from vendor's website.
Sources
- https://access.redhat.com/errata/RHSA-2020:0378
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10195
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T/
- https://www.freeipa.org/page/Releases/4.6.7
- https://www.freeipa.org/page/Releases/4.7.4
- https://www.freeipa.org/page/Releases/4.8.3