CVE-2019-14824
MEDIUMFedoraproject 389 Directory Server - Incorrect Permission Assignment
Title source: ruleDescription
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
References (5)
Core 5
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3981
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/11/msg00036.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0464
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824
Scores
CVSS v3
6.5
EPSS
0.0040
EPSS Percentile
60.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (3)
debian/debian_linux
8.0
fedoraproject/389_directory_server
redhat/enterprise_linux
7.0
Published
Nov 08, 2019
Tracked Since
Feb 18, 2026