389-ds-base@* Security Vulnerabilities and Issues — 389-ds-base@* CVE List

Lucene search

Port389389-ds-base*

10 matches found

CVE•added 2021/03/26 5:15 p.m.•241 views

CVE-2020-35518

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

5.3CVSS5.1AI score0.00428EPSS

CVE•added 2021/05/28 3:15 p.m.•238 views

CVE-2021-3514

When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash.

6.5CVSS6.2AI score0.00103EPSS

CVE•added 2022/10/14 6:15 p.m.•185 views

CVE-2022-2850

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of...

6.5CVSS6.3AI score0.00236EPSS

CVE•added 2022/03/16 3:15 p.m.•170 views

CVE-2022-0918

A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The m...

7.5CVSS7.5AI score0.0524EPSS

CVE•added 2022/02/18 6:15 p.m.•150 views

CVE-2021-4091

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.

7.5CVSS7.1AI score0.00156EPSS

CVE•added 2022/03/23 8:15 p.m.•122 views

CVE-2022-0996

A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.

6.5CVSS6.5AI score0.00087EPSS

CVE•added 2022/04/18 5:15 p.m.•115 views

CVE-2021-3652

A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disa...

6.5CVSS6.3AI score0.00145EPSS

CVE•added 2018/05/09 3:29 p.m.•108 views

CVE-2018-1089

389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, t...

7.5CVSS6.7AI score0.20194EPSS

CVE•added 2022/06/02 2:15 p.m.•108 views

CVE-2022-1949

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows se...

7.5CVSS7.4AI score0.00101EPSS

CVE•added 2018/04/30 12:29 p.m.•64 views

CVE-2017-2591

389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the "attribute uniqueness" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap ...

7.5CVSS7.5AI score0.08001EPSS