[
https://issues.apache.org/jira/browse/DIRSERVER-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13989232#comment-13989232
]
Johan Bergman commented on DIRSERVER-1259:
------------------------------------------
Hi, where are you guys in this issue? Our Sonatype CLM scans are still finding
this vulnerability in the latest version (2.0.0-M16)
> Make the userPassword not searchable from the outside
> -----------------------------------------------------
>
> Key: DIRSERVER-1259
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1259
> Project: Directory ApacheDS
> Issue Type: New Feature
> Affects Versions: 1.5.4
> Reporter: Emmanuel Lecharny
> Fix For: 2.0.0-RC1
>
>
> The userPassword attribute should not be searchable by default. More
> specifically, it should not be a part of any filter, as it may be a security
> breach (imagine you use something like (&(cn=foo)(userPassword >
> a)(userPassword < c)), you can easily find the password in a very simple
> way...)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
