CVE-2023-38994

HIGH

UCS 5.0-5 - Info Disclosure

Title source: llm

Description

The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users.

References (4)

[Various Sources] https://raeph123.github.io/BlogPosts/Univention/Simple_yet_effective_The_story_of_some_simple_bugs_that_led_to_the_complete_compromise_of_a_network_en.html

[Issue Tracking, Vendor Advisory] https://forge.univention.org/bugzilla/show_bug.cgi?id=56324

[Issue Tracking, Vendor Advisory] https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0

[Exploit, Technical Description, Third Party Advisory] https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network

Scores

CVSS v3 7.9

EPSS 0.0004

EPSS Percentile 12.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-668

Status published

Products (1)

univention/univention_corporate_server 5.0

Published Oct 31, 2023

Tracked Since Feb 18, 2026