Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2005-2069

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2005-2069
Last Modified 21 Aug 2010 12:30:07
Published 30 Jun 2005 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2005-2069

Summary

pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.

Vulnerable Systems

Application

  • Openldap

  • Padl Software Nss Ldap

  • Padl Software Pam Ldap


References

MISC - http://www.openldap.org/its/index.cgi/Incoming?id=3791

MISC - http://bugzilla.padl.com/show_bug.cgi?id=210

CONFIRM - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990

XF - ldap-tls-information-disclosure(21245)

MANDRIVA - MDKSA-2005:121

UBUNTU - USN-152-1

BID - 14126

BID - 14125

REDHAT - RHSA-2005:767

REDHAT - RHSA-2005:751

OSVDB - 17692

GENTOO - GLSA-2005-07-13

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm

SECUNIA - 21520

SECUNIA - 17845

SECUNIA - 17233

MISC - http://bugzilla.padl.com/show_bug.cgi?id=211

CONFIRM - http://bugs.gentoo.org/show_bug.cgi?id=96767

FULLDISC - 20050704 pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup


Last Updated: 27 May 2016 10:40:22