CVE-2018-1337

{"id": "CVE-2018-1337", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-07-10T13:29:00.293", "references": [{"url": "http://www.securityfocus.com/bid/104744", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/d66081195e9a02ee7cc20fb243b60467d1419586eed28297d820768f%40%3Cdev.directory.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r0e645b3f6ca977dc60b7cec231215c59a9471736c2402c1fef5a0616%40%3Cjira.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r1815fb5b0c345f571c740e7a1b48d7477647edd4ffcf9d5321e69446%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r1a258430d820a90ff9d4558319296cc517ff2252327d7b3546d16749%40%3Cjira.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r4da40aa50cfdb2158898f2bc6df81feec1d42c6a06db6537d5cc0496%40%3Cjira.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r55e74532e7f9e84ecfa56b4e0a50a5fe0ba6f7a76880520e4400b0d7%40%3Cjira.kafka.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r56b304fb9960c869995efbb31da3b9b7c6d53ee31f7f7048eb80434b%40%3Cdev.kafka.apache.org%3E", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request)."}, {"lang": "es", "value": "En la API LDAP de Apache Directory, en versiones anteriores a la 1.0.2, un error en la forma en la que el filtro SSL se configuraba hac\u00eda posible que otro hilo empleara la conexi\u00f3n antes de que se estableciera la capa TLS, si la conexi\u00f3n ya se hab\u00eda empleado y colocado de nuevo en un grupo de conexiones, lo que conducir\u00eda al filtrado de cualquier tipo de informaci\u00f3n contenida en esta petici\u00f3n (incluyendo las credenciales al enviar una petici\u00f3n BIND)."}], "lastModified": "2023-11-07T02:55:59.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:directory_ldap_api:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACB64EAC-EC76-4C37-89A4-FB99CFF2721C", "versionEndExcluding": "1.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}