You are here

V-166: HP-UX Directory Server Discloses Passwords to Remote Authenticated and Local Users

May 29, 2013 - 12:32am

Addthis

PROBLEM:

HP-UX Directory Server Discloses Passwords to Remote Authenticated and Local Users

PLATFORM:

Directory Server B.08.10.04

ABSTRACT:

Two vulnerabilities were reported in HP-UX Directory Server.

REFERENCE LINKS:

HP Document ID: c03772083
SecurityTracker Alert ID:  1028593
CVE-2012-2678
CVE-2012-2746

IMPACT ASSESSMENT:

High

DISCUSSION:

A local user can access the plaintext password in certain cases [CVE-2012-2678].

A remote authenticated user can can view the password for a target LDAP user when audit logging is enabled by reading the audit log [CVE-2012-2678].

IMPACT:

A remote authenticated user can view passwords.

A local user can view passwords.

SOLUTION:

The vendor has issued a fix (Directory Server B.08.10.05).

Addthis