CVE-2020-35518 - log back

CVE-2020-35518 edited at 26 Jan 2021 09:32:24
Description
- When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
+ A security issue was found in 389-ds-base starting from version 1.4.2.3. When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database. The issue is fixed in versions 1.4.4.10 and 2.0.2.
CVE-2020-35518 edited at 23 Jan 2021 09:37:50
References
https://bugzilla.redhat.com/show_bug.cgi?id=1905565
+ https://github.com/389ds/389-ds-base/issues/4480
+ https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc
+ https://github.com/389ds/389-ds-base/commit/38b97faef8a6421a7a638ecdbf0b341e2b3f9ab3
CVE-2020-35518 edited at 20 Jan 2021 09:57:56
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1905565
Notes
CVE-2020-35518 created at 20 Jan 2021 09:57:07