CVE-2019-14824

MEDIUM

389 Directory Server - Unauthorized Attribute Disclosure via Deref Plugin

Title source: llm

Description

A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.

References (5)

Core 5

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:3981

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/11/msg00036.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0464

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824

Mailing List

https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html

Scores

CVSS v3 6.5

EPSS 0.0130

EPSS Percentile 66.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-732

Status published

Products (3)

debian/debian_linux 8.0

fedoraproject/389_directory_server

redhat/enterprise_linux 7.0

Published Nov 08, 2019

Tracked Since Feb 18, 2026