CVE-2008-3274

Published: Sep 12, 2008Modified: Apr 23, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The default configuration of Red Hat Enterprise IPA 1.0.0 and FreeIPA before 1.1.1 places ldap:///anyone on the read ACL for the krbMKey attribute, which allows remote attackers to obtain the Kerberos master key via an anonymous LDAP query.

Affected (4)

Products: Redhat: Enterprise Ipa, Freeipa

Redhat

2 products

Enterprise Ipa

Freeipa

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Ipa	Version 1.0.0
Redhat Freeipa	Up to 1.1.0
Redhat Freeipa	Version 0.99
Redhat Freeipa	Version 1.0.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (22)

http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git%3Ba=commit%3Bh=9932887f2af38b9701efec27707648c026ec445c

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2008-0860.html

Source: secalert@redhat.com

http://secunia.com/advisories/31861

Source: secalert@redhat.com

http://www.freeipa.org/page/CVE-2008-3274

Source: secalert@redhat.com

Patch

http://www.freeipa.org/page/Downloads

Source: secalert@redhat.com

http://www.freeipa.org/page/News

Source: secalert@redhat.com

http://www.securityfocus.com/bid/31111

Source: secalert@redhat.com

http://www.securitytracker.com/id?1020850

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=457835

Source: secalert@redhat.com

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00733.html

Source: secalert@redhat.com

https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00743.html

Source: secalert@redhat.com

http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git%3Ba=commit%3Bh=9932887f2af38b9701efec27707648c026ec445c