Description

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Related CPE's

o

redhat

389_directory_server

3

a

redhat

directory_server

11.0

Vulnerable

o

redhat

enterprise_linux

2

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905565

Issue TrackingPatchVendor Advisory

https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32

PatchThird Party Advisory

https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc

PatchThird Party Advisory

https://github.com/389ds/389-ds-base/issues/4480

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1905565

Issue TrackingPatchVendor Advisory

https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32

PatchThird Party Advisory

https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc

PatchThird Party Advisory

https://github.com/389ds/389-ds-base/issues/4480

PatchThird Party Advisory

Weaknesses

[email protected]

Secondary
CWE-200

[email protected]

Primary
CWE-203

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-03-26T16:15:12.280Z

4 years ago

Last modified

2024-11-21T04:27:28.920Z

1 year ago