Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-1897

The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.

Published

2013-05-13T23:55:01.717

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 2.6 (LOW)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fedoraproject	389_directory_server	1.2.1	Yes
Application	fedoraproject	389_directory_server	1.2.2	Yes
Application	fedoraproject	389_directory_server	1.2.3	Yes
Application	fedoraproject	389_directory_server	1.2.5	Yes
Application	fedoraproject	389_directory_server	1.2.5	Yes
Application	fedoraproject	389_directory_server	1.2.5	Yes
Application	fedoraproject	389_directory_server	1.2.5	Yes
Application	fedoraproject	389_directory_server	1.2.5	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6	Yes
Application	fedoraproject	389_directory_server	1.2.6.1	Yes
Application	fedoraproject	389_directory_server	1.2.7	Yes
Application	fedoraproject	389_directory_server	1.2.7.5	Yes
Application	fedoraproject	389_directory_server	1.2.8	Yes
Application	fedoraproject	389_directory_server	1.2.8	Yes
Application	fedoraproject	389_directory_server	1.2.8	Yes
Application	fedoraproject	389_directory_server	1.2.8	Yes
Application	fedoraproject	389_directory_server	1.2.8	Yes
Application	fedoraproject	389_directory_server	1.2.8.1	Yes
Application	fedoraproject	389_directory_server	1.2.8.2	Yes
Application	fedoraproject	389_directory_server	1.2.8.3	Yes
Application	fedoraproject	389_directory_server	1.2.9.9	Yes
Application	fedoraproject	389_directory_server	1.2.10	Yes
Application	fedoraproject	389_directory_server	1.2.10	Yes
Application	fedoraproject	389_directory_server	1.2.10	Yes
Application	fedoraproject	389_directory_server	1.2.10.2	Yes
Application	fedoraproject	389_directory_server	1.2.10.3	Yes
Application	fedoraproject	389_directory_server	1.2.10.4	Yes
Application	fedoraproject	389_directory_server	1.2.10.11	Yes
Application	fedoraproject	389_directory_server	1.2.11.1	Yes
Application	fedoraproject	389_directory_server	1.2.11.5	Yes
Application	fedoraproject	389_directory_server	1.2.11.6	Yes
Application	fedoraproject	389_directory_server	1.2.11.8	Yes
Application	fedoraproject	389_directory_server	1.2.11.9	Yes
Application	fedoraproject	389_directory_server	1.2.11.10	Yes
Application	fedoraproject	389_directory_server	1.2.11.11	Yes
Application	fedoraproject	389_directory_server	1.2.11.12	Yes
Application	fedoraproject	389_directory_server	1.2.11.13	Yes
Application	fedoraproject	389_directory_server	1.2.11.14	Yes
Application	fedoraproject	389_directory_server	1.2.11.15	Yes
Application	fedoraproject	389_directory_server	1.2.11.17	Yes
Application	fedoraproject	389_directory_server	1.2.11.19	Yes
Application	fedoraproject	389_directory_server	1.3.0.2	Yes
Application	fedoraproject	389_directory_server	1.3.0.3	Yes
Application	fedoraproject	389_directory_server	1.3.0.4	Yes

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101323.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-0742.html ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=928105 ([email protected])
https://fedorahosted.org/389/ticket/47308 ([email protected])
https://fedorahosted.org/freeipa/ticket/3540 Vendor Advisory ([email protected])
https://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286 ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101323.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-0742.html (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=928105 (af854a3a-2127-422b-91ae-364da2661108)
https://fedorahosted.org/389/ticket/47308 (af854a3a-2127-422b-91ae-364da2661108)
https://fedorahosted.org/freeipa/ticket/3540 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286 (af854a3a-2127-422b-91ae-364da2661108)