Security (AD-AUTH User Disclosure (CVE-2024-RKN0001))¶
Digital Rebar exposed privileged user information via job logs. While the information is not directly usable, sufficient compute resources could be used to reverse engineer a password from a one-way password hash.
While not currently crackable in reasonable time, the system could be eventually vulnerable.
Technical Details¶
In v4.12, the system generated job and job logs for all actions driven through the system. While increasing audit capabilities, the authentication system generates these as well when using AD-AUTH. The system already audits user login through audit events. These are extra and contain a temporary user object with a one-way password hash.
This only applies to systems using the ad-auth plugin.
Recommendations¶
Upgrade to the latest v4.12, v4.13, or tip release. Upon upgrade, the system will not generate logs for these events and existing logs will be scrubbed.
Affected Versions¶
| Affected Versions | Fixed Version |
|---|---|
| v4.12 | v4.12.22 |
| v4.13 | v4.13.4 |