When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1905565 | Issue Tracking Patch Vendor Advisory |
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32 | Patch Third Party Advisory |
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc | Patch Third Party Advisory |
https://github.com/389ds/389-ds-base/issues/4480 | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
05 Aug 2022, 17:42
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-203 |
Information
Published : 2021-03-26 17:15
Updated : 2024-02-04 21:47
NVD link : CVE-2020-35518
Mitre link : CVE-2020-35518
CVE.ORG link : CVE-2020-35518
JSON object : View
Products Affected
redhat
- directory_server
- enterprise_linux
- 389_directory_server