[Pkg-freeipa-devel] Bug#895950: freeipa: CVE-2017-12169: Password hash disclosure via 'System: Read Stage Users' permission

Salvatore Bonaccorso carnil at debian.org
Tue Apr 17 19:54:02 BST 2018

Source: freeipa
Version: 4.3.1-1
Severity: normal
Tags: security upstream


The following vulnerability was published for freeipa.

| It was found that FreeIPA 4.2.0 and later could disclose password
| hashes to users having the 'System: Read Stage Users' permission. A
| remote, authenticated attacker could potentially use this flaw to
| disclose the password hashes belonging to Stage Users. This security
| issue does not result in disclosure of password hashes belonging to
| active standard users. NOTE: some developers feel that this report is
| a suggestion for a design change to Stage User activation, not a
| statement of a vulnerability.

Initially this issue was disputed as beeing valid, was confirmed that
the issue is valid, although as low imapct security flaw.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12169
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1487697


More information about the Pkg-freeipa-devel mailing list