CVE-2016-4984 — Race Condition in Openldap

CWE-362 — Race Condition CWE-732 — Incorrect Permission Assignment6 documents5 sources

Severity

4.7MEDIUMNVD

EPSS

0.0%

top 93.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Openldap

Timeline

PublishedJul 17

Latest updateMay 14

Description

/usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak permissions for the TLS certificate, which allows local users to obtain the TLS certificate by leveraging a race condition between the creation of the certificate, and the chmod to protect it.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages1 packages

▶debiandebian/openldap

🔴Vulnerability Details

GHSA

GHSA-8mqm-pq95-4fc3: /usr/libexec/openldap/generate-server-cert↗2022-05-14

▶

📋Vendor Advisories

Red Hat

openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file↗2016-06-13

▶

Debian

CVE-2016-4984: openldap - /usr/libexec/openldap/generate-server-cert.sh in openldap-servers sets weak perm...↗2016

▶

💬Community

Bugzilla

CVE-2016-4984 openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file↗2016-06-14

▶

Bugzilla

CVE-2016-4984 openldap: openldap-servers: /usr/libexec/openldap/generate-server-cert.sh create world readable password file [fedora-all]↗2016-06-14

▶