CVE-2009-1073

MEDIUM

Debian Nss-ldap < 0.6.8 - Incorrect Permission Assignment

Title source: rule

Description

nss-ldapd before 0.6.8 uses world-readable permissions for the /etc/nss-ldapd.conf file, which allows local users to obtain a cleartext password for the LDAP server by reading the bindpw field.

References (12)

[Broken Link, Exploit] http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/debian/libnss-ldapd.postinst?r1=795&r2=813

[Broken Link] http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/man/nss-ldapd.conf.5.xml?r1=805&r2=806

[Mailing List, Patch] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476

[Broken Link] http://ch.tudelft.nl/~arthur/nss-ldapd/news.html#20090322

[Third Party Advisory] http://launchpad.net/bugs/cve/2009-1073

[Broken Link] http://secunia.com/advisories/34523

[Patch, Third Party Advisory] http://www.debian.org/security/2009/dsa-1758

[Mailing List] http://www.openwall.com/lists/oss-security/2009/03/23/3

[Mailing List] http://www.openwall.com/lists/oss-security/2009/03/24/2

[Mailing List] http://www.openwall.com/lists/oss-security/2009/03/25/3

[Mailing List] http://www.openwall.com/lists/oss-security/2009/03/25/4

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/34211

Scores

CVSS v3 5.5

EPSS 0.0038

EPSS Percentile 59.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-732

Status draft

Affected Products (2)

debian/nss-ldap < 0.6.8

debian/debian_linux

Timeline

Published Mar 31, 2009

Tracked Since Feb 18, 2026