← Back

CVE-2023-38994

nvd nist
Published: Oct 31, 2023Modified: Apr 15, 2025

JSON object

Loading...
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: NVD

Description

The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users.

Affected (1)

Univention
1 product
Univention Corporate Server
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Univention Corporate Server
Version 5.0

Related CWEs

CWE-668
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (7)

Source: cve@mitre.org
Issue TrackingVendor Advisory
Source: cve@mitre.org
Issue TrackingVendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
ExploitTechnical DescriptionThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.