CVE-2020-35518

medium

Description

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1905565

https://github.com/389ds/389-ds-base/issues/4480

https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc

https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32

Details

Source: MITRE

Published: 2021-03-26

Updated: 2022-08-05

Type: CWE-203

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 3.9

Severity: MEDIUM