Clear Text Password Exposure in FreeIPA's Batch Processing API
CVE-2019-10195

5.7MEDIUM

Key Information:

Vendor: Red Hat
Status: Ipa
Vendor: CVE Published:; 27 November 2019

What is CVE-2019-10195?

A vulnerability exists in FreeIPA where the batch processing API can inadvertently log user passwords in clear text on the FreeIPA masters. While batch processing with passwords is not enabled by default, it can be activated through third-party components. If an attacker gains access to system logs, they can exploit this flaw, leading to unauthorized exposure of sensitive information.

Affected Version(s)

IPA all IPA 4.6.x versions before 4.6.7

IPA all IPA 4.7.x versions before 4.7.4

IPA all IPa 4.8.x versions before 4.8.3

References

https://www.freeipa.org/page/Releases/4.7.4

x_refsource_MISC

https://www.freeipa.org/page/Releases/4.8.3

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10195

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2019
Vulnerability Reserved
Mar 27, 2019

Red Hat

What is CVE-2019-10195?

Affected Version(s)

References

CVSS V3.1

Timeline