Main Vulnerability Database Vulnerabilities #VU54105

#VU54105 Information disclosure in 389-ds-base - CVE-2020-35518

Published: June 15, 2021

Vulnerability identifier: #VU54105

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-35518

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
389-ds-base

Software vendor:
389 Directory Server Project

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=1905565
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc
https://github.com/389ds/389-ds-base/issues/4480

#VU54105 Information disclosure in 389-ds-base - CVE-2020-35518

Description

Remediation

External links

Please verify you're human