Apple Mac OS X Third-Party LDAP Server Password Exposure
Local Access Required
Loss of Confidentiality
Mac OS X contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a system is bound to an LDAP server that has "ldap_extended_operation" disabled or not supported, and new accounts are created using the Workgroup Manager. The initial password will be stored unencrypted, resulting in a loss of confidentiality.
Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.