An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
References
| Link | Resource |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2091781 | Issue Tracking Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
08 Aug 2023, 14:22
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-639 |
13 Jun 2022, 12:59
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Fedoraproject
Port389 389-ds-base Port389 Redhat directory Server Fedoraproject fedora Redhat Redhat enterprise Linux |
|
| CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
| CPE | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:port389:389-ds-base:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:directory_server:12.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:directory_server:11.0:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
|
| CWE | CWE-863 | |
| References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2091781 - Issue Tracking, Patch, Third Party Advisory |
02 Jun 2022, 14:53
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-06-02 14:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-1949
Mitre link : CVE-2022-1949
CVE.ORG link : CVE-2022-1949
JSON object : View
Products Affected
redhat
- directory_server
- enterprise_linux
fedoraproject
- fedora
port389
- 389-ds-base
CWE
CWE-639
Authorization Bypass Through User-Controlled Key