|
|
Subscribe / Log in / New account

389-ds-base: information disclosure

Package(s):389-ds-base CVE #(s):CVE-2016-4992
Created:September 7, 2016 Updated:November 3, 2016
Description: From the Red Hat bugzilla:

A vulnerability in 389-ds-base was found that allows to bypass limitations for compare and read operations specified by Access Control Instructions.

When having LDAP sub-tree with some existing objects and having BIND DN which have no privileges over objects inside the sub-tree, unprivileged user can send LDAP ADD operation specifying an object in (supposedly) inaccessible sub-tree. The returned error messages discloses the information when the queried object exists having the specified value. Attacker can use this flaw to guess values of RDN component by repeating the above process.

Alerts:
Oracle ELSA-2016-2765 389-ds-base 2016-11-15
Red Hat RHSA-2016:2765-01 389-ds-base 2016-11-15
Red Hat RHSA-2016:2594-02 389-ds-base 2016-11-03
Mageia MGASA-2016-0350 389-ds-base 2016-10-21
Fedora FEDORA-2016-b1a36cccc8 389-ds-base 2016-09-07
Scientific Linux SLSA-2016:2594-2 389-ds-base 2016-12-14
Scientific Linux SLSA-2016:2765-1 389-ds-base 2016-11-21
CentOS CESA-2016:2765 389-ds-base 2016-11-19
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds