CVE-2013-1897389 Directory Server vulnerability

CWE-2649 documents7 sources
Severity
2.6LOWNVD
EPSS
0.4%
top 38.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Port389 389-ds-baseFedoraproject 389 Directory Server
Timeline
PublishedMay 13
Latest updateMay 17

Description

The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

Debianport389/389-ds-base< 1.3.2.9-1+2

🔴Vulnerability Details

3
GHSA
GHSA-xpx8-wp93-8pmf: The do_search function in ldap/servers/slapd/search2022-05-17
OSV
CVE-2013-1897: The do_search function in ldap/servers/slapd/search2013-05-13
CVEList
CVE-2013-1897: The do_search function in ldap/servers/slapd/search2013-05-13

📋Vendor Advisories

2
Red Hat
389-ds: unintended information exposure when rootdse is enabled2013-03-28
Debian
CVE-2013-1897: 389-ds-base - The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1....2013

💬Community

3
Bugzilla
CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled [fedora-all]2013-03-28
Bugzilla
CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled [fedora-all]2013-03-28
Bugzilla
CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled2013-03-26
CVE-2013-1897 — 389 Directory Server vulnerability | cvebase