CVE-2019-10224 — 389-ds-base - security update

Description

A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.

How to fix CVE-2019-10224

To remediate CVE-2019-10224, upgrade the affected package to a fixed version below.

—upgrade to 1.4.1.5-1 or later
—upgrade to 1.4.0.21-1+deb10u1 or later

Is CVE-2019-10224 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.1.5-1
from 0, < 1.4.0.21-1+deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-10224