Fluid Attacks Database

Description

The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	389-ds-base	>=0 <1.3.2.9-1	1.3.2.9-1
debian 11	389-ds-base	>=0 <1.3.2.9-1	1.3.2.9-1
debian 12	389-ds-base	>=0 <1.3.2.9-1	1.3.2.9-1
rpm rhel6	389-ds-base	<0:1.2.11.15-14.el6_4	0:1.2.11.15-14.el6_4
rpm rhel6	ipa	-	-

Aliases

1. CVE-2013-18972. NVD-2013-18973. OSV-DEBIAN-2013-18974. OSV-2013-18975. SECURITY-TRACKER-CVE-2013-1897

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.