In RHDS 11 and 12 while browsing entries, the LDAP Browser tries to decode a user certificate on the server, but instead of decoding a userCertificate attribute, it tries to decode userPassword attribute. This leaks a hashed password in the process list as an argument. The possible issue is caused by the showCertificate() function that does the decoding here: https://github.com/389ds/389-ds-base/blob/c69f2691bb9c3933c1ff3f81139011fc7d66b0aa/src/cockpit/389-console/src/lib/ldap_editor/lib/utils.jsx#L989-L997 This code is present in all versions of RHDS that ship LDAP Browser (12.0, 12.1 and 11.5, 11.6).
Created 389-ds-base tracking bugs for this issue: Affects: fedora-36 [bug 2173675] Affects: fedora-37 [bug 2173676]
This issue has been addressed in the following products: Red Hat Directory Server 12.1 for RHEL 9 Via RHSA-2023:3489 https://access.redhat.com/errata/RHSA-2023:3489
This issue has been addressed in the following products: Red Hat Directory Server 11.6 for RHEL 8 Via RHSA-2023:4655 https://access.redhat.com/errata/RHSA-2023:4655