When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1905565 | Issue Tracking Patch Vendor Advisory |
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32 | Patch Third Party Advisory |
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc | Patch Third Party Advisory |
https://github.com/389ds/389-ds-base/issues/4480 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2021-03-26T16:43:08
Updated: 2021-03-26T16:43:08
Reserved: 2020-12-17T00:00:00
Link: CVE-2020-35518
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-03-26T17:15:12.280
Modified: 2022-08-05T17:42:42.370
Link: CVE-2020-35518
JSON object: View
Redhat Information
No data.