Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Debian: DLA-3399-1 Moderate: 389-ds-base DoS and Info Leak

debian lts
Calendar Grey April 24, 2023
Dist Debian Esm H88
Serious vulnerabilities identified in the 389-ds-base LDAP server for Debian LTS, necessitating urgent updates to mitigate potential exploitation risks.
Multiple security issues were discovered in 389-ds-base: an open source LDAP server for Linux
Topics%20covered

Topics Covered

security advisory security issue Debian DoS information disclosure LDAP server 389-ds-base

Summary

CVE-2019-3883

SSL/TLS requests do not enforce ioblocktimeout limit, leading to DoS
vulnerability by hanging all workers with hanging LDAP requests.

CVE-2019-10224

The vulnerability may disclose sensitive information, such as the Directory
Manager password, when the dscreate and dsconf commands are executed in
verbose mode. An attacker who can view the screen or capture the terminal
standard error output can exploit thisvulnerability to obtain confidential information.

CVE-2019-14824

The 'deref' plugin of 389-ds-base has a vulnerability that enables it to
disclose attribute values using the 'search' permission. In certain setups,
an authenticated attacker can exploit this flaw to access confidential
attributes, including password hashes.

CVE-2021-3514

If a sync_repl client is used, an authenticated attacker can trigger a crash
by exploiting a specially crafted query that leads to a NULL pointer
dereference.

CVE-2021-3652

Read the Full Advisory


Package: 389-ds-base
Version: 1.4.0.21-1+deb10u1
CVE ID: CVE-2019-3883 CVE-2019-10224 CVE-2019-14824 CVE-2021-3514

Topics%20covered

Topics Covered

security advisory security issue Debian DoS information disclosure LDAP server 389-ds-base

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here