CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3230
https://notcve.org/view.php?id=CVE-2015-3230
389 Directory Server (formerly Fedora Directory Server) before 1.3.3.12 does not enforce the nsSSL3Ciphers preference when creating an sslSocket, which allows remote attackers to have unspecified impact by requesting to use a disabled cipher. 389 Directory Server (anteriormente Fedora Directory Server) en versiones anteriores a 1.3.3.12 no hace cumplir la preferencia nsSSL3Ciphers cuando crean un sslSocket, lo que permite a atacantes remotos tener un impacto no especificado mediante la petición de utilizar un cifrado deshabilitado. • http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-3-12.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168985.html https://bugzilla.redhat.com/show_bug.cgi?id=1230996 https://fedorahosted.org/389/ticket/48194 • CWE-254: 7PK - Security Features •
CVSS: 5.8EPSS: 0%CPEs: 7EXPL: 0CVE-2014-8105 – 389-ds-base: information disclosure through 'cn=changelog' subtree
https://notcve.org/view.php?id=CVE-2014-8105
389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does not properly restrict access to the "cn=changelog" LDAP sub-tree, which allows remote attackers to obtain sensitive information from the changelog via unspecified vectors. 389 Directory Server anterior a 1.3.2.27 y 1.3.3.x anterior a 1.3.3.9 no restringe correctamente acceso al subárbol LDAP 'cn=changelog', lo que permite a atacantes remotos obtener información sensible del registro de cambios (changelog) a través de vectores no especificados. An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords. • http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-2-27.html http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-3-9.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153991.html http://rhn.redhat.com/errata/RHSA-2015-0416.html http://rhn.redhat.com/errata/RHSA-2015-0628.html https://access.redhat.com/security/cve/CVE-2014-8105 https://bugzilla.redhat.com/show_bug.cgi?id=1167858 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 65EXPL: 0CVE-2014-3562 – 389-ds: unauthenticated information disclosure
https://notcve.org/view.php?id=CVE-2014-3562
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory. Red Hat Directory Server 8 y 389 Directory Server, cuando depuración está habilitada, permite a atacantes remotos obtener metadatos replicados sensibles mediante la búsqueda del directorio. It was found that when replication was enabled for each attribute in Red Hat Directory Server / 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information. • http://rhn.redhat.com/errata/RHSA-2014-1031.html http://rhn.redhat.com/errata/RHSA-2014-1032.html https://bugzilla.redhat.com/show_bug.cgi?id=1123477 https://access.redhat.com/security/cve/CVE-2014-3562 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 1CVE-2014-0132 – 389-ds: flaw in parsing authzid can lead to privilege escalation
https://notcve.org/view.php?id=CVE-2014-0132
The SASL authentication functionality in 389 Directory Server before 1.2.11.26 allows remote authenticated users to connect as an arbitrary user and gain privileges via the authzid parameter in a SASL/GSSAPI bind. La funcionalidad de autenticación SASL en 389 Directory Server anterior a 1.2.11.26 permite a usuarios remotos autenticados conectar como un usuario arbitrario y ganar privilegios a través del parámetro authzid en un SASL/GSSAPI bind. • http://rhn.redhat.com/errata/RHSA-2014-0292.html http://secunia.com/advisories/57412 http://secunia.com/advisories/57427 https://fedorahosted.org/389/changeset/76acff12a86110d4165f94e2cba13ef5c7ebc38a https://fedorahosted.org/389/ticket/47739 https://access.redhat.com/security/cve/CVE-2014-0132 https://bugzilla.redhat.com/show_bug.cgi?id=1074845 • CWE-287: Improper Authentication CWE-290: Authentication Bypass by Spoofing •
CVSS: 5.0EPSS: 1%CPEs: 6EXPL: 0CVE-2013-4283 – 389-ds-base: ns-slapd crash due to bogus DN
https://notcve.org/view.php?id=CVE-2013-4283
ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request. ns-slapd en 389 Directory Server anterior a v1.3.0.8 permite a atacantes remotos provocar una denegación de servicio (caída del servidor) a través de un Distinguished Name (DN) manipulado en una operación de petición MOD. • http://directory.fedoraproject.org/wiki/Releases/1.3.0.8 http://rhn.redhat.com/errata/RHSA-2013-1182.html http://secunia.com/advisories/54586 http://secunia.com/advisories/54650 https://bugzilla.redhat.com/show_bug.cgi?id=999634 https://access.redhat.com/security/cve/CVE-2013-4283 • CWE-20: Improper Input Validation •