2173517 – (CVE-2023-1055) CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute

Bug 2173517 (CVE-2023-1055) - CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute

Summary: CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of user...

Keywords:
Status:	NEW
Alias:	CVE-2023-1055
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2173628 2173629 2173675 2173676 2173829 2173830 2177929 2177930 2178131 2178135 2178157
Blocks:	2173182 2173596
TreeView+	depends on / blocked

Reported:	2023-02-27 07:52 UTC by Borja Tarraso
Modified:	2024-04-30 13:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	389-ds-base 2.3.5-1.fc38
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3489	0	None	None	None	2023-06-06 13:05:47 UTC
Red Hat Product Errata	RHSA-2023:4655	0	None	None	None	2023-08-15 14:11:52 UTC

Description Borja Tarraso 2023-02-27 07:52:53 UTC

In RHDS 11 and 12 while browsing entries, the LDAP Browser tries to decode a user certificate on the server, but instead of decoding a userCertificate attribute, it tries to decode userPassword attribute. This leaks a hashed password in the process list as an argument.

The possible issue is caused by the showCertificate() function that does the decoding here:
https://github.com/389ds/389-ds-base/blob/c69f2691bb9c3933c1ff3f81139011fc7d66b0aa/src/cockpit/389-console/src/lib/ldap_editor/lib/utils.jsx#L989-L997

This code is present in all versions of RHDS that ship LDAP Browser (12.0, 12.1 and 11.5, 11.6).

Comment 3 Borja Tarraso 2023-02-27 15:42:32 UTC

Created 389-ds-base tracking bugs for this issue:

Affects: fedora-36 [bug 2173675]
Affects: fedora-37 [bug 2173676]

Comment 5 errata-xmlrpc 2023-06-06 13:05:44 UTC

This issue has been addressed in the following products:

  Red Hat Directory Server 12.1 for RHEL 9

Via RHSA-2023:3489 https://access.redhat.com/errata/RHSA-2023:3489

Comment 8 errata-xmlrpc 2023-08-15 14:11:51 UTC

This issue has been addressed in the following products:

  Red Hat Directory Server 11.6 for RHEL 8

Via RHSA-2023:4655 https://access.redhat.com/errata/RHSA-2023:4655

Note You need to log in before you can comment on or make changes to this bug.