CVE-2017-2591

CWE-122Heap-based Buffer OverflowCWE-125Out-of-bounds Read8 documents7 sources
Severity
7.5HIGH
EPSS
2.8%
top 13.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fedoraproject 389 Directory ServerUnspecified 389-ds-baseRedhat Enterprise Linux
Timeline
PublishedApr 30
Latest updateMay 13

Description

389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

Debian389-ds-base< 1.3.5.15-2+2
CVEListV5unspecified/389-ds-base389-ds-base 1.3.6

Also affects: Enterprise Linux 7.0

Patches

Patch: pagure.ioPatch: pagure.io

🔴Vulnerability Details

3
GHSA
GHSA-cmhq-25mx-42j8: 389-ds-base before version 12022-05-13
OSV
CVE-2017-2591: 389-ds-base before version 12018-04-30
CVEList
CVE-2017-2591: 389-ds-base before version 12018-04-30

📋Vendor Advisories

2
Debian
CVE-2017-2591: 389-ds-base - 389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated ...2017
Red Hat
389-ds-base: Heap buffer overflow in uiduniq.c2016-09-13

💬Community

2
Bugzilla
CVE-2017-2591 389-ds-base: Heap buffer overflow in uiduniq.c2016-10-04
Bugzilla
CVE-2017-2591 389-ds-base: various flaws [fedora-all]2016-10-04
CVE-2017-2591 (HIGH CVSS 7.5) | 389-ds-base before version 1.3.6 is | cvebase.io