CVE Vulnerability

CVE-2020-35518

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1905565 Issue Tracking Patch
https://github.com/389ds/389-ds-base/issues/4480 Patch Third Party Advisory
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc Patch Third Party Advisory
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:o:redhat:389_directory_server:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:389_directory_server:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:389_directory_server:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:directory_server:11.0:*:*:*:*:*:*:*
Information

Published : 2021-03-26 05:15

Updated : 2022-08-05 05:42

NVD link : CVE-2020-35518

Mitre link : CVE-2020-35518

Products Affected
No products.
CWE
CWE-203