CVE-2023-38994

HIGH

UCS 5.0-5 - Info Disclosure

Title source: llm

Description

The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users.

References (4)

[Various Sources] https://raeph123.github.io/BlogPosts/Univention/Simple_yet_effective_The_story_of_some_simple_bugs_that_led_to_the_complete_compromise_of_a_network_en.html

[Issue Tracking, Vendor Advisory] https://forge.univention.org/bugzilla/show_bug.cgi?id=56324

[Issue Tracking, Vendor Advisory] https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0

[Exploit, Technical Description, Third Party Advisory] https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network

Scores

CVSS v3 7.9

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-668

Status published

Affected Products (1)

univention/univention_corporate_server

Timeline

Published Oct 31, 2023

Tracked Since Feb 18, 2026