3 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. Una vulnerabilidad de omisión de control de acceso encontrada en 389-ds-base. Ese manejo inapropiado del filtro que daría resultados incorrectos, pero a medida que ha avanzado, puede determinarse que en realidad es una omisión de control de acceso. • https://bugzilla.redhat.com/show_bug.cgi?id=2091781 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. Se ha detectado una vulnerabilidad en 389 Directory Server que permite a un atacante no autenticado con acceso a la red al puerto LDAP causar una denegación de servicio. La denegación de servicio es desencadenada por un único mensaje enviado a través de una conexión TCP, no es requerido bind u otra autenticación. • https://github.com/NathanMulbrook/CVE-2022-0918 https://access.redhat.com/security/cve/CVE-2022-0918 https://bugzilla.redhat.com/show_bug.cgi?id=2055815 https://github.com/389ds/389-ds-base/issues/5242 https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. Se ha encontrado un fallo en 389-ds-base. Si es importado un asterisco como hash de la contraseña, ya sea de forma accidental o maliciosa, en lugar de estar inactivo, cualquier contraseña coincidirá con éxito durante la autenticación. • https://bugzilla.redhat.com/show_bug.cgi?id=1982782 https://github.com/389ds/389-ds-base/issues/4817 https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html https://access.redhat.com/security/cve/CVE-2021-3652 • CWE-287: Improper Authentication •