CVE-2008-3274

Description

The default configuration of Red Hat Enterprise IPA 1.0.0 and FreeIPA before 1.1.1 places ldap:///anyone on the read ACL for the krbMKey attribute, which allows remote attackers to obtain the Kerberos master key via an anonymous LDAP query.

Affected Software
References

Software	From	Fixed in
redhat / freeipa	-	1.1.0.x
redhat / freeipa	0.99	0.99.x
redhat / freeipa	1.0.0	1.0.0.x
redhat / enterprise_ipa	1.0.0	1.0.0.x

http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git%3Ba=commit%3Bh=9932887f2af38b9701efec27707648c026ec445c
http://rhn.redhat.com/errata/RHSA-2008-0860.html
http://secunia.com/advisories/31861
http://www.freeipa.org/page/CVE-2008-3274
http://www.freeipa.org/page/Downloads
http://www.freeipa.org/page/News
http://www.securityfocus.com/bid/31111
http://www.securitytracker.com/id?1020850
https://bugzilla.redhat.com/show_bug.cgi?id=457835
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00733.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00743.html

Severity: Medium

CVE: CVE-2008-3274
Published: Sep 12, 2008
Updated: Apr 13, 2023
Exploit:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200

CVE-2008-3274

Description

Details

CVSS v2

CWEs