Lucene search

[email protected]CVE-2019-3883

HistoryApr 17, 2019 - 2:29 p.m.

CVE-2019-3883

2019-04-1714:29:03

CWE-772

[email protected]

web.nvd.nist.gov

cve-2019-3883

389-ds-base

denial of service

ldap

security vulnerability

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.06 Low

EPSS

Percentile

93.5%

JSON

In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most ‘ioblocktimeout’ seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.

Affected configurations

Vulners

NVD

Node

redhat389_directory_serverRange≤1.4.1.2

VendorProductVersionCPE
redhat389_directory_server*cpe:2.3:o:redhat:389_directory_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	389_directory_server	*	cpe:2.3:o:redhat:389_directory_server::::::::

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "389-ds-base",
    "versions": [
      {
        "version": "affects up to 1.4.1.2",
        "status": "affected"
      }
    ]
  }
]