CVE-2019-10195
Description
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
freeipaPyPI | >= 4.6.0, < 4.6.7 | 4.6.7 |
freeipaPyPI | >= 4.7.0, < 4.7.4 | 4.7.4 |
freeipaPyPI | >= 4.8.0, < 4.8.3 | 4.8.3 |
ipaPyPI | >= 4.6.0, < 4.6.7 | 4.6.7 |
ipaPyPI | >= 4.7.0, < 4.7.4 | 4.7.4 |
ipaPyPI | >= 4.8.0, < 4.8.3 | 4.8.3 |
Affected products
3- ghsa-coords2 versions
>= 4.6.0, < 4.6.7+ 1 more
- (no CPE)range: >= 4.6.0, < 4.6.7
- (no CPE)range: >= 4.6.0, < 4.6.7
- Red Hat/IPAv5Range: all IPA 4.6.x versions before 4.6.7
Patches
Vulnerability mechanics
Root cause
"FreeIPA's batch API logs all sub-command parameters, including passwords, in cleartext to the system log before the individual commands mask them."
Attack vector
An attacker with access to system logs on a FreeIPA master can read cleartext passwords from `/var/log/httpd/error_log`. The batch API logs all sub-command parameters, including sensitive ones like passwords, before the individual commands mask them out. Batch processing is not used by default but can be invoked by third-party components [CWE-200] [ref_id=1].
Affected code
FreeIPA's batch processing API (`batch` plugin) logs all parameters of sub-commands, including passwords, to `/var/log/httpd/error_log`. The flaw affects FreeIPA 4.6.x before 4.6.7, 4.7.x before 4.7.4, and 4.8.x before 4.8.3. Only the server component is vulnerable; client packages are not affected [ref_id=1].
What the fix does
The patch (tested successfully by the developer) ensures that passwords are masked in the batch command log output, matching the masking already applied when individual commands are processed. The fix was contributed by the reporter and improved by the FreeIPA team to log more information while still protecting secrets [ref_id=1].
Preconditions
- authAttacker must have read access to /var/log/httpd/error_log on a FreeIPA master
- inputA third-party component must invoke the batch API with a password argument
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- access.redhat.com/errata/RHBA-2019:4268ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0378ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-w4q7-f34x-vpgcghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKF/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4T/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-10195ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/freeipa/PYSEC-2019-22.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ipa/PYSEC-2019-168.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/67SEUWJAJ5RMH5K4Q6TS2I7HIMXUGNKFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLFL5XDCJ3WT6JCLCQVKHZBLHGW7PW4TghsaWEB
- pagure.io/freeipa/c/5913826a4654a115cd5ff2dbf4a2b3ad38a93081ghsaWEB
- www.freeipa.org/page/Releases/4.6.7ghsax_refsource_MISCWEB
- www.freeipa.org/page/Releases/4.7.4ghsax_refsource_MISCWEB
- www.freeipa.org/page/Releases/4.8.3ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.