CVE-2020-35518
MEDIUM389 Directory Server < 1.4.3.19 - Unauthenticated LDAP Entry Existence Disclosure
Title source: llmDescription
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
References (4)
Core 4
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1905565
Patch, Third Party Advisory x_refsource_misc
https://github.com/389ds/389-ds-base/issues/4480
Patch, Third Party Advisory x_refsource_misc
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc
Patch, Third Party Advisory x_refsource_misc
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32
Scores
CVSS v3
5.3
EPSS
0.0080
EPSS Percentile
74.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
CWE-203
Status
published
Products (4)
redhat/389_directory_server
< 1.4.3.19
redhat/directory_server
11.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026