{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6237", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-06-21T02:32:34.022Z", "datePublished": "2024-07-09T16:39:58.810Z", "dateUpdated": "2024-10-31T14:20:43.252Z"}, "containers": {"cna": {"title": "389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2.4.5", "versionType": "semver"}], "packageName": "389-ds-base", "collectionURL": "https://github.com/389ds/389-ds-base", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Directory Server 12.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-ds:12", "defaultStatus": "affected", "versions": [{"version": "9040020240723122852.1674d574", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:directory_server:12.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "versions": [{"version": "0:2.4.5-9.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Directory Server 11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-ds:11/389-ds-base", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:directory_server:11"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds:1.4/389-ds-base", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4997", "name": "RHSA-2024:4997", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:5192", "name": "RHSA-2024:5192", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-6237", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579", "name": "RHBZ#2293579", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/389ds/389-ds-base/issues/5989"}], "datePublic": "2024-07-09T16:03:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-230", "description": "Improper Handling of Missing Values", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-230: Improper Handling of Missing Values", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-06-20T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-07-09T16:03:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-31T14:20:43.252Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-13T20:16:20.543543Z", "id": "CVE-2024-6237", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-13T20:16:27.843Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.243Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-6237", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579", "name": "RHBZ#2293579", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/389ds/389-ds-base/issues/5989", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-6237", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579", "name": "RHBZ#2293579", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/389ds/389-ds-base/issues/5989", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:05.243Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-13T20:16:20.543543Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-13T20:16:24.723Z"}}], "cna": {"title": "389-ds-base: unauthenticated user can trigger a dos by sending a specific extended search request", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2.4.5", "versionType": "semver"}], "packageName": "389-ds-base", "collectionURL": "https://github.com/389ds/389-ds-base", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:directory_server:12.4::el9"], "vendor": "Red Hat", "product": "Red Hat Directory Server 12.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "9040020240723122852.1674d574", "lessThan": "*", "versionType": "rpm"}], "packageName": "redhat-ds:12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:2.4.5-9.el9_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:directory_server:11"], "vendor": "Red Hat", "product": "Red Hat Directory Server 11", "packageName": "redhat-ds:11/389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "389-ds:1.4/389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-20T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-07-09T16:03:00+00:00", "value": "Made public."}], "datePublic": "2024-07-09T16:03:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4997", "name": "RHSA-2024:4997", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:5192", "name": "RHSA-2024:5192", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-6237", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579", "name": "RHBZ#2293579", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/389ds/389-ds-base/issues/5989"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-230", "description": "Improper Handling of Missing Values"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-31T14:20:43.252Z"}, "x_redhatCweChain": "CWE-230: Improper Handling of Missing Values"}}, "cveMetadata": {"cveId": "CVE-2024-6237", "state": "PUBLISHED", "dateUpdated": "2024-10-31T14:20:43.252Z", "dateReserved": "2024-06-21T02:32:34.022Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-07-09T16:39:58.810Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:directory_server:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "A3DAF61A-58A9-41A6-A4DC-64148055B0C1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:389_directory_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "A861110D-0BBC-4052-BBFD-F718F6CD72C5", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en 389 Directory Server. Este fallo permite que un usuario no autenticado provoque un fallo sistem\u00e1tico del servidor mientras env\u00eda una solicitud de b\u00fasqueda extendida espec\u00edfica, lo que lleva a una denegaci\u00f3n de servicio."}], "id": "CVE-2024-6237", "lastModified": "2024-08-29T18:15:14.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-07-09T17:15:48.960", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4997"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:5192"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-6237"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://github.com/389ds/389-ds-base/issues/5989"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-230"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:4997", "cpe": "cpe:/a:redhat:directory_server:12.4::el9", "package": "redhat-ds:12-9040020240723122852.1674d574", "product_name": "Red Hat Directory Server 12.4 for RHEL 9", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5192", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "389-ds-base-0:2.4.5-9.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-12T00:00:00Z"}], "bugzilla": {"description": "389-ds-base: unauthenticated user can trigger a DoS by sending a specific extended search request", "id": "2293579", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293579"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-230", "details": ["A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.", "A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-6237", "package_state": [{"cpe": "cpe:/a:redhat:directory_server:11", "fix_state": "Not affected", "package_name": "redhat-ds:11/389-ds-base", "product_name": "Red Hat Directory Server 11"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-07-09T16:03:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6237\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6237\nhttps://github.com/389ds/389-ds-base/issues/5989"], "statement": "The issue is classified as moderate severity rather than important because, while it allows an unauthenticated user to trigger a denial of service (DoS) by sending a specific extended search request, it does not compromise the integrity or confidentiality of the system. The vulnerability is limited to service availability, meaning the server can crash and become temporarily unavailable, but no data is leaked, altered, or accessed by unauthorized users. Additionally, recovery from this condition typically involves restarting the service, which can be automated or handled through monitoring tools, thus limiting the long-term impact. Since the flaw does not facilitate unauthorized access or privilege escalation, it is considered moderate in severity.", "threat_severity": "Moderate"}