CVE-2026-1966

Опубликовано: 05 фев. 2026

Источник: redhat

CVSS3: 6.5

EPSS Низкий

Описание

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

A flaw was found in YugabyteDB Anywhere. This vulnerability allows an authenticated user with access to the configuration view to obtain Lightweight Directory Access Protocol (LDAP) bind passwords. These passwords are displayed in cleartext within the web user interface (UI) when configured via gflags. This information disclosure could potentially enable unauthorized access to external directory services.

Отчет

LOW impact: Authenticated users with access to the configuration view of YugabyteDB Anywhere can obtain LDAP bind passwords displayed in cleartext within the web UI. This information disclosure could lead to unauthorized access to external directory services.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Enterprise Application Platform 8	yugabytedb	Fix deferred
Red Hat JBoss Enterprise Application Platform Expansion Pack	yugabytedb	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-312

https://bugzilla.redhat.com/show_bug.cgi?id=2437046YugabyteDB: YugabyteDB Anywhere: Information disclosure of LDAP bind passwords via web UI

EPSS

Процентиль: 1%

0.00008

Низкий

6.5 Medium

CVSS3

Связанные уязвимости