Filtered by vendor Redhat
Subscriptions
Filtered by product Directory Server
Subscriptions
Total
39 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-1949 | 2 Fedoraproject, Redhat | 4 Fedora, 389 Directory Server, Directory Server and 1 more | 2024-12-13 | 7.5 High |
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. | ||||
CVE-2024-1062 | 2 Fedoraproject, Redhat | 15 Fedora, 389 Directory Server, Directory Server and 12 more | 2024-12-04 | 5.5 Medium |
A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr. | ||||
CVE-2024-2199 | 1 Redhat | 3 Directory Server, Enterprise Linux, Rhel Eus | 2024-11-28 | 5.7 Medium |
A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input. | ||||
CVE-2024-8445 | 1 Redhat | 3 Directory Server, Enterprise Linux, Rhel Els | 2024-11-24 | 5.7 Medium |
The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input. | ||||
CVE-2024-6237 | 1 Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-24 | 6.5 Medium |
A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service. | ||||
CVE-2024-5953 | 1 Redhat | 5 Directory Server, Directory Server Eus, Enterprise Linux and 2 more | 2024-11-24 | 5.7 Medium |
A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password. | ||||
CVE-2024-3657 | 1 Redhat | 4 Directory Server, Directory Server Eus, Enterprise Linux and 1 more | 2024-11-24 | 7.5 High |
A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service | ||||
CVE-2023-1055 | 2 Fedoraproject, Redhat | 2 Fedora, Directory Server | 2024-11-21 | 5.5 Medium |
A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality. | ||||
CVE-2022-2850 | 4 Debian, Fedoraproject, Port389 and 1 more | 6 Debian Linux, Fedora, 389-ds-base and 3 more | 2024-11-21 | 6.5 Medium |
A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514. | ||||
CVE-2022-0918 | 2 Port389, Redhat | 4 389-ds-base, Directory Server, Enterprise Linux and 1 more | 2024-11-21 | 7.5 High |
A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. | ||||
CVE-2021-4091 | 2 Port389, Redhat | 11 389-ds-base, Directory Server, Enterprise Linux and 8 more | 2024-11-21 | 7.5 High |
A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. | ||||
CVE-2021-3652 | 2 Port389, Redhat | 4 389-ds-base, Directory Server, Enterprise Linux and 1 more | 2024-11-21 | 6.5 Medium |
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. | ||||
CVE-2021-3514 | 1 Redhat | 4 389 Directory Server, Directory Server, Enterprise Linux and 1 more | 2024-11-21 | 6.5 Medium |
When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash. | ||||
CVE-2020-35518 | 1 Redhat | 4 389 Directory Server, Directory Server, Enterprise Linux and 1 more | 2024-11-21 | 5.3 Medium |
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database. | ||||
CVE-2014-3562 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory. | ||||
CVE-2013-4485 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request. | ||||
CVE-2013-2219 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute. | ||||
CVE-2012-2746 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password. | ||||
CVE-2012-2678 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute. | ||||
CVE-2012-0833 | 2 Fedoraproject, Redhat | 3 389 Directory Server, Directory Server, Enterprise Linux | 2024-11-21 | N/A |
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server. |