CVE-2019-10195: Infoleak
First published: Tue Jul 02 2019(Updated: )
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/FreeIPA | <4.6.7 | 4.6.7 |
| redhat/FreeIPA | <4.7.4 | 4.7.4 |
| redhat/FreeIPA | <4.8.3 | 4.8.3 |
| pip/ipa | >=4.8.0<4.8.3 | 4.8.3 |
| pip/ipa | >=4.7.0<4.7.4 | 4.7.4 |
| pip/ipa | >=4.6.0<4.6.7 | 4.6.7 |
| pip/freeipa | >=4.8.0<4.8.3 | 4.8.3 |
| pip/freeipa | >=4.7.0<4.7.4 | 4.7.4 |
| pip/freeipa | >=4.6.0<4.6.7 | 4.6.7 |
| Red Hat FreeIPA | >=4.6.0<4.6.7 | |
| Red Hat FreeIPA | >=4.7.0<4.7.4 | |
| Red Hat FreeIPA | >=4.8.0<4.8.3 | |
| Red Hat Fedora | =30 | |
| Red Hat Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHBA-2019:4268
- https://access.redhat.com/errata/RHSA-2020:0378
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10195
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T/
- https://www.freeipa.org/page/Releases/4.6.7
- https://www.freeipa.org/page/Releases/4.7.4
- https://www.freeipa.org/page/Releases/4.8.3
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1587101&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1587101&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1726223#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1726223#c5
- https://releases.pagure.org/freeipa
- https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1777147
- https://access.redhat.com/security/cve/cve-2019-10195
- https://access.redhat.com/errata/RHSA-2020:1269
- https://bugzilla.redhat.com/show_bug.cgi?id=1726223
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T/
- https://nvd.nist.gov/vuln/detail/CVE-2019-10195
- https://pagure.io/freeipa/c/5913826a4654a115cd5ff2dbf4a2b3ad38a93081
- https://github.com/advisories/GHSA-w4q7-f34x-vpgc (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/freeipa/PYSEC-2019-22.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/ipa/PYSEC-2019-168.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T
Frequently Asked Questions
What is the severity of CVE-2019-10195?
CVE-2019-10195 is classified as a moderate severity vulnerability.
How do I fix CVE-2019-10195?
To fix CVE-2019-10195, upgrade FreeIPA to version 4.6.7, 4.7.4, or 4.8.3 or higher.
What versions of FreeIPA are affected by CVE-2019-10195?
CVE-2019-10195 affects FreeIPA versions prior to 4.6.7, 4.7.4, and 4.8.3 across all distributions.
What is the impact of CVE-2019-10195?
The impact of CVE-2019-10195 includes logging user passwords in clear text during the batch processing of commands.
Can CVE-2019-10195 be exploited remotely?
Yes, CVE-2019-10195 can be exploited remotely if an attacker has access to the FreeIPA API.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10195
- agent/software-canonical-lookup
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-w4q7-f34x-vpgc
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/redhat
- package-manager/pip
- vendor/freeipa
- canonical/red hat freeipa
- version/red hat freeipa/4.6.0
- version/red hat freeipa/4.7.0
- version/red hat freeipa/4.8.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/30
- version/red hat fedora/31