{
  "threat_severity" : "Low",
  "public_date" : "2015-03-05T00:00:00Z",
  "bugzilla" : {
    "description" : "389-ds-base: password hashing bypassed when \"nsslapd-unhashed-pw-switch\" is set to off",
    "id" : "1172729",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1172729"
  },
  "cvss" : {
    "cvss_base_score" : "1.4",
    "cvss_scoring_vector" : "AV:A/AC:H/Au:S/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-522",
  "details" : [ "389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores \"unhashed\" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog.", "It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to \"off\", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information." ],
  "statement" : "This issue did not affect the versions of 389-ds-base as shipped with Red Hat Enterprise Linux 6.",
  "acknowledgement" : "This issue was discovered by Ludwig Krispenz (Red Hat Identity Management Engineering Team).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-03-05T00:00:00Z",
    "advisory" : "RHSA-2015:0416",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "389-ds-base-0:1.3.3.1-13.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "389-ds-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8112\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8112" ],
  "name" : "CVE-2014-8112",
  "csaw" : false
}