[Bugs] [Bug 13213] New: CVE-s found @ 389-ds-base 1.4.4.4

Вс Апр 16 20:57:46 MSK 2023

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13213

          Platform: ---
            Bug ID: 13213
           Summary: CVE-s found @ 389-ds-base 1.4.4.4
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: major
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT

CVE-2021-3652
        A flaw was found in 389-ds-base. If an asterisk is imported as password
hashes, either accidentally or maliciously, then instead of being inactive, any
password will successfully match during authentication. This flaw allows an
attacker to successfully authenticate as a user whose password was disabled.
        https://nvd.nist.gov/vuln/detail/CVE-2021-3652
MEDIUM


CVE-2022-1949
        An access control bypass vulnerability found in 389-ds-base. That
mishandling of the filter that would yield incorrect results, but as that has
progressed, can be determined that it actually is an access control bypass.
This may allow any remote unauthenticated user to issue a filter that allows
searching for database items they do not have access to, including but not
limited to potentially userPassword hashes and other sensitive data.
        https://nvd.nist.gov/vuln/detail/CVE-2022-1949
HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230416/8dbaebe3/attachment.html>