Lucene search

[email protected]NVD:CVE-2019-14824

HistoryNov 08, 2019 - 3:15 p.m.

CVE-2019-14824

2019-11-0815:15:11

CWE-732

[email protected]

web.nvd.nist.gov

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.002

Percentile

56.7%

JSON

A flaw was found in the ‘deref’ plugin of 389-ds-base where it could use the ‘search’ permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.

Affected configurations

Nvd

Node

fedoraproject389_directory_serverMatch-

Node

redhatenterprise_linuxMatch7.0

Node

debiandebian_linuxMatch8.0

VendorProductVersionCPE
fedoraproject389_directory_server-cpe:2.3:a:fedoraproject:389_directory_server:-:*:*:*:*:*:*:*
redhatenterprise_linux7.0cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fedoraproject	389_directory_server	-	cpe:2.3:a:fedoraproject:389_directory_server:-:::::::*
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*