CVE-2013-1897

Severity

26%

Complexity

49%

Confidentiality

48%

The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.

The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.

CVSS 2.0 Base Score 2.6. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N).

Overview

Type

Fedora Project 389 Directory Server

First reported 11 years ago

2013-05-13 23:55:00

Last updated 11 years ago

2013-05-14 04:00:00

Affected Software

Fedora Project 389 Directory Server 1.2.1

1.2.1

Fedora Project 389 Directory Server 1.2.2

1.2.2

Fedora Project 389 Directory Server 1.2.3

1.2.3

Fedora Project 389 Directory Server 1.2.5

1.2.5

Fedora Project 389 Directory Server 1.2.5 Release Candidate 1

1.2.5

Fedora Project 389 Directory Server 1.2.5 Release Candidate 2

1.2.5

Fedora Project 389 Directory Server 1.2.5 Release Candidate 3

1.2.5

Fedora Project 389 Directory Server 1.2.5 Release Candidate 4

1.2.5

Fedora Project 389 Directory Server 1.2.6

1.2.6

Fedora Project 389 Directory Server 1.2.6 a2

1.2.6

Fedora Project 389 Directory Server 1.2.6 a3

1.2.6

Fedora Project 389 Directory Server 1.2.6 a4

1.2.6

Fedora Project 389 Directory Server 1.2.6 Release Candidate 1

1.2.6

Fedora Project 389 Directory Server 1.2.6 Release Candidate 2

1.2.6

Fedora Project 389 Directory Server 1.2.6 Release Candidate 3

1.2.6

Fedora Project 389 Directory Server 1.2.6 Release Candidate 6

1.2.6

Fedora Project 389 Directory Server 1.2.6 Release Candidate 7

1.2.6

Fedora Project 389 Directory Server 1.2.6.1

1.2.6.1

Fedora Project 389 Directory Server 1.2.7 Alpha 3

1.2.7

Fedora Project 389 Directory Server 1.2.7.5

1.2.7.5

Fedora Project 389 Directory Server 1.2.8 Alpha 1

1.2.8

Fedora Project 389 Directory Server 1.2.8 Alpha 2

1.2.8

Fedora Project 389 Directory Server 1.2.8 Alpha 3

1.2.8

Fedora Project 389 Directory Server 1.2.8 Release Candidate 1

1.2.8

Fedora Project 389 Directory Server 1.2.8 Release Candidate 2

1.2.8

Fedora Project 389 Directory Server 1.2.8.1

1.2.8.1

Fedora Project 389 Directory Server 1.2.8.2

1.2.8.2

Fedora Project 389 Directory Server 1.2.8.3

1.2.8.3

Fedora Project 389 Directory Server 1.2.9.9

1.2.9.9

Fedora Project 389 Directory Server 1.2.10

1.2.10

Fedora Project 389 Directory Server 1.2.10 alpha8

1.2.10

Fedora Project 389 Directory Server 1.2.10 release candidate 1

1.2.10

Fedora Project 389 Directory Server 1.2.10.2

1.2.10.2

Fedora Project 389 Directory Server 1.2.10.3

1.2.10.3

Fedora Project 389 Directory Server 1.2.10.4

1.2.10.4

Fedora Project 389 Directory Server 1.2.10.11

1.2.10.11

Fedora Project 389 Directory Server 1.2.11.1

1.2.11.1

Fedora Project 389 Directory Server 1.2.11.5

1.2.11.5

Fedora Project 389 Directory Server 1.2.11.6

1.2.11.6

Fedora Project 389 Directory Server 1.2.11.8

1.2.11.8

Fedora Project 389 Directory Server 1.2.11.9

1.2.11.9

Fedora Project 389 Directory Server 1.2.11.10

1.2.11.10

Fedora Project 389 Directory Server 1.2.11.11

1.2.11.11

Fedora Project 389 Directory Server 1.2.11.12

1.2.11.12

Fedora Project 389 Directory Server 1.2.11.13

1.2.11.13

Fedora Project 389 Directory Server 1.2.11.14

1.2.11.14

Fedora Project 389 Directory Server 1.2.11.15

1.2.11.15

Fedora Project 389 Directory Server 1.2.11.17

1.2.11.17

Fedora Project 389 Directory Server 1.2.11.19

1.2.11.19

Fedora Project 389 Directory Server 1.3.0.2

1.3.0.2

Fedora Project 389 Directory Server 1.3.0.3

1.3.0.3

Fedora Project 389 Directory Server 1.3.0.4

1.3.0.4

References

FEDORA-2013-4578

RHSA-2013:0742

https://bugzilla.redhat.com/show_bug.cgi?id=928105

https://fedorahosted.org/389/ticket/47308

https://fedorahosted.org/freeipa/ticket/3540

Vendor Advisory

https://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.