#VU23002 Information disclosure in 389-ds-base - CVE-2019-14824

Cybersecurity Help s.r.o.

Published: 2019-11-26

Vulnerability identifier: #VU23002

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14824

CWE-ID: CWE-200

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
389-ds-base
Server applications / Directory software, identity management

Vendor: 389 Directory Server Project

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to incorrect permissions in the 'deref' plugin in 389-ds-base when displaying attribute values during search. A remote user in local network can gain access to private attributes, such as password hashes.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

389-ds-base: 1.4.0.0 - 1.4.2.2

External links
https://access.redhat.com/errata/RHSA-2019:3981
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for 389-ds:1.4

Amazon Linux AMI update for 389-ds-base

Red Hat update for 389-ds-base

Information disclosure in 389-ds-base