CVE-2014-3562 – 389-ds: unauthenticated information disclosure
https://notcve.org/view.php?id=CVE-2014-3562
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory. Red Hat Directory Server 8 y 389 Directory Server, cuando depuración está habilitada, permite a atacantes remotos obtener metadatos replicados sensibles mediante la búsqueda del directorio. It was found that when replication was enabled for each attribute in Red Hat Directory Server / 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information. • http://rhn.redhat.com/errata/RHSA-2014-1031.html http://rhn.redhat.com/errata/RHSA-2014-1032.html https://bugzilla.redhat.com/show_bug.cgi?id=1123477 https://access.redhat.com/security/cve/CVE-2014-3562 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVE-2013-4485 – 389-ds-base: DoS due to improper handling of ger attr searches
https://notcve.org/view.php?id=CVE-2013-4485
389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request. 389 Directory Server 1.2.11.15 (también conocido como Red Hat Directory Server anterior a la versión 8.2.11-14) permite a usuarios remotos autenticados provocar una denegación de servicio (caída) a través de múltiples caracteres @ en una lista de atributo GER de una petición de búsqueda. • http://rhn.redhat.com/errata/RHSA-2013-1752.html http://rhn.redhat.com/errata/RHSA-2013-1753.html http://secunia.com/advisories/55765 https://access.redhat.com/security/cve/CVE-2013-4485 https://bugzilla.redhat.com/show_bug.cgi?id=1024552 • CWE-20: Improper Input Validation •
CVE-2013-2219 – Server: ACLs inoperative in some search scenarios
https://notcve.org/view.php?id=CVE-2013-2219
The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute. El Red Hat Directory Server 8.2.11-13 y 389 Directory Server, no restringe adecuadamente los atributos de entidad, lo que permite a usuarios autenticados remotamente obtener información sensible a través de una consulta de búsqueda hacia ese atributo. • http://rhn.redhat.com/errata/RHSA-2013-1116.html http://rhn.redhat.com/errata/RHSA-2013-1119.html https://bugzilla.redhat.com/show_bug.cgi?id=979508 https://access.redhat.com/security/cve/CVE-2013-2219 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2746 – rhds/389: plaintext password disclosure in audit log
https://notcve.org/view.php?id=CVE-2012-2746
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password. "389 Directory Server" antes de v1.2.11.6 (también conocido como Red Hat Directory Server antes de v8.2.10-3), cuando la contraseña de un usuario de LDAP ha cambiado y el registro de auditoría está habilitada, guarda la nueva contraseña para el registro en texto plano, lo que permite leer la contraseña a usuarios remotos autenticados. • http://directory.fedoraproject.org/wiki/Release_Notes http://rhn.redhat.com/errata/RHSA-2012-0997.html http://rhn.redhat.com/errata/RHSA-2012-1041.html http://secunia.com/advisories/49734 http://www.osvdb.org/83329 http://www.securityfocus.com/bid/54153 https://bugzilla.redhat.com/show_bug.cgi?id=833482 https://exchange.xforce.ibmcloud.com/vulnerabilities/76595 https://fedorahosted.org/389/ticket/365 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=em • CWE-310: Cryptographic Issues •
CVE-2012-2678 – rhds/389: plaintext password disclosure flaw
https://notcve.org/view.php?id=CVE-2012-2678
389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute. "389 Directory Server" antes de v1.2.11.6 (también conocido como Red Hat Directory Server antes de v8.2.10-3), cuando la contraseña de un usuario de LDAP ha cambiado y anyes de que el servidor haya sido reiniciado, permite a atacantes remotos leer contraseñas en claro a través del atributo unhashed#user#password. • http://directory.fedoraproject.org/wiki/Release_Notes http://osvdb.org/83336 http://rhn.redhat.com/errata/RHSA-2012-0997.html http://rhn.redhat.com/errata/RHSA-2012-1041.html http://secunia.com/advisories/49734 http://www.securityfocus.com/bid/54153 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03772083 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19353 https://access.redhat.com/security/cve/CVE-2012-267 • CWE-310: Cryptographic Issues •