CVE-2019-10224 : A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When execu

A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.

Published 2019-11-25 16:15:13

Updated 2023-04-24 09:15:07

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2019-10224

Fedoraproject » 389 Directory Server
Versions from including (>=) 1.4.0.0 and before (<) 1.4.1.3
cpe:2.3:a:fedoraproject:389_directory_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-10224

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-10224

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
4.3	MEDIUM	CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	0.7	3.6	Red Hat, Inc.
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None
4.6	MEDIUM	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	0.9	3.6	NIST
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-10224

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2019-10224

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10224

1677147 – (CVE-2019-10224) CVE-2019-10224 389-ds-base: using dscreate in verbose mode results in information disclosure
Issue Tracking;Third Party Advisory
https://pagure.io/389-ds-base/issue/50251

Issue #50251: dscreate and dsconf print DM's password in verbose mode - 389-ds-base - Pagure.io
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html

[SECURITY] [DLA 3399-1] 389-ds-base security update

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-10224

Products affected by CVE-2019-10224

Exploit prediction scoring system (EPSS) score for CVE-2019-10224

CVSS scores for CVE-2019-10224

CWE ids for CVE-2019-10224

References for CVE-2019-10224