Description

OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them.

References

http://secunia.com/advisories/12491/

http://secunia.com/advisories/17233

http://secunia.com/advisories/21520

http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm

http://www.auscert.org.au/render.html?it=4363

http://www.redhat.com/support/errata/RHSA-2005-751.html

http://www.securityfocus.com/advisories/7148

http://www.securityfocus.com/bid/11137

https://exchange.xforce.ibmcloud.com/vulnerabilities/17300

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10703

Details

Risk Information

CVSS v2