Information Exposure Affecting cockpit-389-ds package, versions *


Severity

Recommended
0.0
low
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.3% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-COCKPIT389DS-17893886
  • published8 Jul 2026
  • disclosed8 Jul 2026

Introduced: 8 Jul 2026

NewCVE-2026-15041  (opens in a new tab)
CWE-208  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 cockpit-389-ds.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cockpit-389-ds package and not the cockpit-389-ds package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

CVSS Base Scores

version 3.1