A security issue and a vulnerability have been reported in Red Hat Directory Server, which can be exploited by malicious users to disclose sensitive information.
Red Hat Directory Server 8.x
If an LDAP user had changed their password, and the directory server had not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password.
1) The security issue is caused due to new passwords being saved to the audit log in plain text and can be exploited to disclose a user's password. Successful exploitation of the security issue requires that the audit log is enabled (disabled by default).
2) The vulnerability is caused due to an error when changing password and can be exploited to disclose a user's password via the "unhashed#user#password" attribute. Successful exploitation of the vulnerability requires that the server hasn't been restarted since the password change.
Exposure of sensitive information from local network
Updated packages are available via Red Hat Network.