Lucene search

[email protected]CVE-2022-1949

HistoryJun 02, 2022 - 2:15 p.m.

CVE-2022-1949

2022-06-0214:15:34

CWE-639

[email protected]

web.nvd.nist.gov

cve-2022-1949

389-ds-base

access control bypass

vulnerability

filter mishandling

remote unauthenticated user

sensitive data

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.6%

JSON

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Affected configurations

Vulners

NVD

Node

fedoraproject389_directory_serverRange≤2.0

VendorProductVersionCPE
fedoraproject389_directory_server*cpe:2.3:a:fedoraproject:389_directory_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fedoraproject	389_directory_server	*	cpe:2.3:a:fedoraproject:389_directory_server::::::::

CNA Affected

[
  {
    "product": "389-ds-base",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "389-ds-base-2.0"
      }
    ]
  }
]