CVE-2017-2591
published 2018-04-30CVE-2017-2591: 389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute…
high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | 389-ds-base | < 389-ds-base 1.3.5.15-2 (bookworm) | 389-ds-base 1.3.5.15-2 (bookworm) |
| fedoraproject | 389_directory_server | < 1.3.6 | 1.3.6 |
| port389 | 389-ds-base | >= 0 < 1.3.5.15-2 | 1.3.5.15-2 |
| port389 | 389-ds-base | >= 0 < 1.3.5.15-2 | 1.3.5.15-2 |
| port389 | 389-ds-base | >= 0 < 1.3.5.15-2 | 1.3.5.15-2 |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH