CVE-2014-9713
Debian Security Advisory 3209-1
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.
La configuración por defecto slapd en el paquete Debian openldap 2.4.23-3 hasta 2.4.39-1.1 permite a usuarios remotos autenticados modificar los permisos de usuarios y otros atributos de usuarios a través de vectores no especificados.
Denis Andzakovic discovered that OpenLDAP incorrectly handled certain BER data. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service. Dietrich Clauss discovered that the OpenLDAP package incorrectly shipped with a potentially unsafe default access control configuration. Depending on how the database is configure, this may allow users to impersonate others by modifying attributes such as their Unix user and group numbers. Various other issues were also addressed.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-03-29 CVE Reserved
- 2015-03-31 CVE Published
- 2024-08-06 CVE Updated
- 2025-05-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2015/03/29/2 | Mailing List |
|
| http://www.securityfocus.com/bid/73217 | Vdb Entry | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2015/dsa-3209 | 2016-12-22 | |
| http://www.ubuntu.com/usn/USN-2742-1 | 2016-12-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.23 Search vendor "Openldap" for product "Openldap" and version "2.4.23" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.24 Search vendor "Openldap" for product "Openldap" and version "2.4.24" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.25 Search vendor "Openldap" for product "Openldap" and version "2.4.25" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.26 Search vendor "Openldap" for product "Openldap" and version "2.4.26" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.27 Search vendor "Openldap" for product "Openldap" and version "2.4.27" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.28 Search vendor "Openldap" for product "Openldap" and version "2.4.28" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.29 Search vendor "Openldap" for product "Openldap" and version "2.4.29" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.30 Search vendor "Openldap" for product "Openldap" and version "2.4.30" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.31 Search vendor "Openldap" for product "Openldap" and version "2.4.31" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.32 Search vendor "Openldap" for product "Openldap" and version "2.4.32" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.33 Search vendor "Openldap" for product "Openldap" and version "2.4.33" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.34 Search vendor "Openldap" for product "Openldap" and version "2.4.34" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.35 Search vendor "Openldap" for product "Openldap" and version "2.4.35" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.36 Search vendor "Openldap" for product "Openldap" and version "2.4.36" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.37 Search vendor "Openldap" for product "Openldap" and version "2.4.37" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.38 Search vendor "Openldap" for product "Openldap" and version "2.4.38" | - |
Affected
| ||||||
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | 2.4.39 Search vendor "Openldap" for product "Openldap" and version "2.4.39" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||