Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-1949

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Published

2022-06-02T14:15:34.257

Last Modified

2024-12-13T18:47:19.243

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-639

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	redhat	389_directory_server	≤ 2.0.0	Yes
Application	redhat	directory_server	11.0	Yes
Application	redhat	directory_server	12.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Operating System	redhat	enterprise_linux	9.0	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=2091781 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2091781 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)