{"id":"PYSEC-2014-100","details":"The default LDAP ACIs in FreeIPA 3.0 before 3.1.2 do not restrict access to the (1) ipaNTTrustAuthIncoming and (2) ipaNTTrustAuthOutgoing attributes, which allow remote attackers to obtain the Cross-Realm Kerberos Trust key via unspecified vectors.","modified":"2024-11-21T14:22:50.537629Z","published":"2014-05-29T14:19:00Z","withdrawn":"2024-11-22T04:37:04Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/57542"},{"type":"WEB","url":"http://www.freeipa.org/page/Releases/3.1.2"},{"type":"WEB","url":"http://osvdb.org/89539"},{"type":"ADVISORY","url":"http://www.freeipa.org/page/CVE-2013-0199"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81486"}],"affected":[{"package":{"name":"freeipa","ecosystem":"PyPI","purl":"pkg:pypi/freeipa"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.10.2","4.12.2","4.4.0.dev1","4.5.0","4.5.2","4.5.4","4.6.1","4.6.2","4.6.3","4.6.4","4.6.5","4.6.7","4.7.0","4.7.1","4.7.2","4.7.4","4.7.5","4.8.0","4.8.0rc1","4.8.1","4.8.2","4.8.3","4.8.5","4.8.6","4.8.7","4.8.9","4.9.12"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/freeipa/PYSEC-2014-100.yaml"}}],"schema_version":"1.7.3"}