CVE-2005-2069

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2005-2069
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2005-06-30 04:00:00 UTC
Updated2020-11-16 19:30:00 UTC
Descriptionpam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.

Risk And Classification

Problem Types: CWE-319

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Openldap Openldap All All All All
Application Openldap Openldap All All All All
Application Padl Nss Ldap - All All All
Application Padl Nss Ldap - All All All
Application Padl Pam Ldap - All All All
Application Padl Pam Ldap - All All All

References

ReferenceSourceLinkTags
17692 OSVDB www.osvdb.org Broken Link
IBM X-Force Exchange XF exchange.xforce.ibmcloud.com Third Party Advisory, VDB Entry
Repository / Oval Repository OVAL oval.cisecurity.org Third Party Advisory
20050704 pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup FULLDISC archives.neohapsis.com Broken Link
OpenLDAP ITS - Incoming/3791 MISC www.openldap.org Patch, Vendor Advisory
Gentoo Bug 96767 - sys-auth/{pam_ldap|nss_ldap} not using tls for referred connections CONFIRM bugs.gentoo.org Third Party Advisory
Secunia - Advisories - Red Hat update for openldap / nss_ldap SECUNIA secunia.com Third Party Advisory
OpenLDAP TLS Plaintext Password Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
Gentoo Linux Documentation -- pam_ldap and nss_ldap: Plain text authentication leak GENTOO www.gentoo.org Third Party Advisory
Bug 210 - ssl start_tls not honoured when chasing referrals MISC bugzilla.padl.com Issue Tracking, Patch, Vendor Advisory
rhn.redhat.com | Red Hat Support REDHAT www.redhat.com Third Party Advisory
Fedora update for openldap - Secunia Advisories - Vulnerability Intelligence - Secunia.com SECUNIA secunia.com Third Party Advisory
usn/usn-152-1 - Ubuntu Linux UBUNTU www.ubuntu.com Third Party Advisory
bugzilla.padl.com/show_bug.cgi MISC bugzilla.padl.com Issue Tracking, Vendor Advisory
PADL Software PAM_LDAP TLS Plaintext Password Vulnerability BID www.securityfocus.com Third Party Advisory, VDB Entry
161990 – openldap password disclosure issue CONFIRM bugzilla.redhat.com Issue Tracking, Third Party Advisory
Avaya Products Multiple Vulnerabilities - Advisories - Secunia SECUNIA secunia.com Third Party Advisory
ASA-2006-157 (RHSA-2005-751) CONFIRM support.avaya.com Third Party Advisory
Advisories - Mandriva MANDRIVA wwwnew.mandriva.com Third Party Advisory
rhn.redhat.com | Red Hat Support REDHAT www.redhat.com Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

OrganizationPublishedContributorStatement
Red Hat2007-03-14Mark J CoxRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Legacy QID Mappings

  • 900145 CBL-Mariner Linux Security Update for openldap 2.4.50
  • 903296 Common Base Linux Mariner (CBL-Mariner) Security Update for openldap (2545)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report