{"containers": {"cna": {"affected": [{"product": "389-ds-base", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-04T18:00:58", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2019:3981", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3981"}, {"name": "[debian-lts-announce] 20191129 [SECURITY] [DLA 2004-1] 389-ds-base security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00036.html"}, {"name": "RHSA-2020:0464", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0464"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.128Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2019:3981", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3981"}, {"name": "[debian-lts-announce] 20191129 [SECURITY] [DLA 2004-1] 389-ds-base security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00036.html"}, {"name": "RHSA-2020:0464", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0464"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14824", "datePublished": "2019-11-08T14:45:46", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.128Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedoraproject:389_directory_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "65E209CD-4A5F-48F1-BA57-3145757D2C23", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes."}, {"lang": "es", "value": "Se detect\u00f3 un fallo en el plugin \"deref\" de 389-ds-base, donde podr\u00eda usar el permiso \"search\" para mostrar los valores de los atributos. En algunas configuraciones, esto podr\u00eda permitir a un atacante autenticado visualizar atributos privados, tales como hashes de contrase\u00f1as."}], "id": "CVE-2019-14824", "lastModified": "2023-04-24T09:15:07.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-08T15:15:11.563", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3981"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0464"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14824"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00036.html"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Gerald Vogt (Deutsches Klimarechenzentrum) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2019:3981", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "389-ds-base-0:1.3.9.1-12.el7_7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-11-26T00:00:00Z"}, {"advisory": "RHSA-2019:3401", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "389-ds:1.4-8010020190903200205.eb48df33", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-11-05T00:00:00Z"}, {"advisory": "RHSA-2020:0464", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "389-ds:1.4-8000020191107193846.187e9a3f", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-02-10T00:00:00Z"}], "bugzilla": {"description": "389-ds-base: Read permission check bypass via the deref plugin", "id": "1747448", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1747448"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-732", "details": ["A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.", "A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes."], "name": "CVE-2019-14824", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2019-11-04T09:14:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14824\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14824\nhttps://pagure.io/389-ds-base/issue/50716"], "statement": "This vulnerability is rated Important when use in a IdM/IPA environment, where an ACI installed by default allows an authenticated attacker to use this flaw to retrieve the userPassword attribute of any user.", "threat_severity": "Important"}