CVE-2023-38994

The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users.
Configurations

Configuration 1 (hide)

cpe:2.3:o:univention:univention_corporate_server:5.0:*:*:*:*:*:*:*

History

21 Nov 2024, 08:14

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.8
v2 : unknown
v3 : 7.9
References () https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 - Issue Tracking, Vendor Advisory () https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 - Issue Tracking, Vendor Advisory
References () https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 - Issue Tracking, Vendor Advisory () https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 - Issue Tracking, Vendor Advisory
References () https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network - Exploit, Technical Description, Third Party Advisory () https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network - Exploit, Technical Description, Third Party Advisory

13 Nov 2023, 15:16

Type Values Removed Values Added
CPE cpe:2.3:o:univention:univention_corporate_server:5.0:*:*:*:*:*:*:*
CWE CWE-668
First Time Univention
Univention univention Corporate Server
References (MISC) https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 - (MISC) https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 - Issue Tracking, Vendor Advisory
References (MISC) https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 - (MISC) https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 - Issue Tracking, Vendor Advisory
References (MISC) https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network - (MISC) https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network - Exploit, Technical Description, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8

08 Nov 2023, 22:15

Type Values Removed Values Added
Summary An issue in Univention UCS v.5.0 allows a local attacker to execute arbitrary code and gain privileges via the check_univention_joinstatus function. The 'check_univention_joinstatus' prometheus monitoring script (and other scripts) in UCS 5.0-5 revealed the LDAP plaintext password of the machine account in the process list allowing attackers with local ssh access to gain higher privileges and perform followup attacks. By default, the configuration of UCS does not allow local ssh access for regular users.

31 Oct 2023, 12:58

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-31 12:15

Updated : 2024-11-21 08:14


NVD link : CVE-2023-38994

Mitre link : CVE-2023-38994

CVE.ORG link : CVE-2023-38994


JSON object : View

Products Affected

univention

  • univention_corporate_server
CWE
CWE-668

Exposure of Resource to Wrong Sphere