CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2017-7551 – 389-ds-base: Password brute-force possible for locked account due to different return codes
https://notcve.org/view.php?id=CVE-2017-7551
389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts. 389-ds-base en su versión anterior a 1.3.5.19 y 1.3.6.7 es vulnerable a ataques de fuerza bruta de contraseñas durante un bloqueo de cuenta debido a los diferentes códigos de retorno que se devuelven durante los intentos de contraseña. A flaw was found in the way 389-ds-base handled authentication attempts against locked accounts. A remote attacker could potentially use this flaw to continue password brute-forcing attacks against LDAP accounts, thereby bypassing the protection offered by the directory server's password lockout policy. • https://access.redhat.com/errata/RHSA-2017:2569 https://pagure.io/389-ds-base/issue/49336 https://access.redhat.com/security/cve/CVE-2017-7551 https://bugzilla.redhat.com/show_bug.cgi?id=1477669 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-2668 – 389-ds-base: Remote crash via crafted LDAP messages
https://notcve.org/view.php?id=CVE-2017-2668
389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service. 389-ds-base en versiones anteriores a la 1.3.5.17 y 1.3.6.10 es vulnerable a una desreferencia de puntero inválido en la forma en la que se gestionan las peticiones LDAP. Un atacante remoto no autenticado podría emplear este error para hacer que ns-slapd se cierre inesperadamente mediante una petición bind LDAP especialmente manipulada que resulta en una denegación de servicio (DoS). An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service. • http://www.securityfocus.com/bid/97524 https://access.redhat.com/errata/RHSA-2017:0893 https://access.redhat.com/errata/RHSA-2017:0920 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2668 https://pagure.io/389-ds-base/issue/49220 https://access.redhat.com/security/cve/CVE-2017-2668 https://bugzilla.redhat.com/show_bug.cgi?id=1436575 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-476: NULL Pointer Dereference •