CVE-2017-12169

HIGH

FreeIPA >= 4.2.0 - Authenticated Exposure of Stage User Password Hashes

Title source: llm
STIX 2.1

Description

It was found that FreeIPA 4.2.0 and later could disclose password hashes to users having the 'System: Read Stage Users' permission. A remote, authenticated attacker could potentially use this flaw to disclose the password hashes belonging to Stage Users. This security issue does not result in disclosure of password hashes belonging to active standard users. NOTE: some developers feel that this report is a suggestion for a design change to Stage User activation, not a statement of a vulnerability.

References (2)

Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1487697
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102136

Scores

CVSS v3 7.5
EPSS 0.0192
EPSS Percentile 77.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
freeipa/freeipa 4.2.0
Published Jan 10, 2018
Tracked Since Feb 18, 2026