CVE-2011-1067 — Improper Input Validation in 389 Directory Server

CWE-20 — Improper Input Validation6 documents5 sources

Severity

5.0MEDIUMNVD

CNA7.5

EPSS

0.6%

top 30.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject 389 Directory Server

Timeline

PublishedFeb 23

Latest updateMay 17

Description

slapd (aka ns-slapd) in 389 Directory Server before 1.2.8.a2 does not properly manage the c_timelimit field of the connection table element, which allows remote attackers to cause a denial of service (daemon outage) via Simple Paged Results connections, as demonstrated by using multiple processes to replay TCP sessions, a different vulnerability than CVE-2011-0019.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDfedoraproject/389_directory_server1.2.8+8

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-xc37-cv9h-f6mv: slapd (aka ns-slapd) in 389 Directory Server before 1↗2022-05-17

▶

CVEList

CVE-2011-1067: slapd (aka ns-slapd) in 389 Directory Server before 1↗2011-02-23

▶

📋Vendor Advisories

Red Hat

Server: DoS via Simple Paged Results connections↗2011-01-10

▶

💬Community

Bugzilla

CVE-2011-1067 Directory Server: DoS via Simple Paged Results connections↗2011-02-24

▶

Bugzilla

CVE-2011-1000 Telepathy-Gabble: Audio and video calls sniffing via crafted google:jingleinfo stanza↗2011-02-20

▶