Description
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
References (8)
Core 8
Core References
Release Notes x_refsource_misc
https://www.freeipa.org/page/Releases/4.7.4
Release Notes x_refsource_misc
https://www.freeipa.org/page/Releases/4.8.3
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10195
Release Notes x_refsource_misc
https://www.freeipa.org/page/Releases/4.6.7
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0378
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:4268
Scores
CVSS v3
6.5
EPSS
0.0065
EPSS Percentile
70.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
CWE-200
Status
published
Products (5)
fedoraproject/fedora
30
fedoraproject/fedora
31
freeipa/freeipa
4.6.0 - 4.6.7
pypi/freeipa
4.6.0 - 4.6.7PyPI
pypi/ipa
4.6.0 - 4.6.7PyPI
Published
Nov 27, 2019
Tracked Since
Feb 18, 2026