CVE-2017-12169
HIGHFreeIPA >= 4.2.0 - Authenticated Exposure of Stage User Password Hashes
Title source: llmDescription
It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1487697
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102136
Scores
CVSS v3
7.5
EPSS
0.0192
EPSS Percentile
77.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
freeipa/freeipa
4.2.0
Published
Jan 10, 2018
Tracked Since
Feb 18, 2026