Lucene search

[email protected]CVE-2019-14824

HistoryNov 08, 2019 - 3:15 p.m.

CVE-2019-14824

2019-11-0815:15:11

CWE-732

[email protected]

web.nvd.nist.gov

389-ds-base

deref plugin

search permission

attribute values

information security

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.7%

JSON

A flaw was found in the ‘deref’ plugin of 389-ds-base where it could use the ‘search’ permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.

Affected configurations

NVD

Node

fedoraproject389_directory_serverMatch-

Node

redhatenterprise_linuxMatch7.0

Node

debiandebian_linuxMatch8.0

CPENameOperatorVersion
fedoraproject:389_directory_serverfedoraproject 389 directory servereq-

CPE	Name	Operator	Version
fedoraproject:389_directory_server	fedoraproject 389 directory server	eq	-

CNA Affected

[
  {
    "product": "389-ds-base",
    "vendor": "[UNKNOWN]",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]