CVE-2017-15135
389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
Se ha descubierto que 389-ds-base, desde la versión 1.3.6.1 y hasta e incluyendo la versión 1.4.0.3, no manipulaba siempre las operaciones de comparación de hash internas de manera correcta durante el proceso de autenticación. Un atacante remoto no autenticado podría emplear este error para omitir el proceso de autenticación bajo circunstancias muy excepcionales.
It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-08 CVE Reserved
- 2018-01-24 CVE Published
- 2023-07-27 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/102811 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1525628 | 2018-03-13 |
URL | Date | SRC |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00033.html | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2018:0414 | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2018:0515 | 2023-02-12 | |
https://access.redhat.com/security/cve/CVE-2017-15135 | 2018-03-13 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | >= 1.3.6.1 <= 1.4.0.3 Search vendor "Fedoraproject" for product "389 Directory Server" and version " >= 1.3.6.1 <= 1.4.0.3" | - |
Affected
|