Fluid Attacks Database

Description

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	389-ds-base	=1.4.4.11-2 \|\| >=0 <1.4.4.11-2+deb11u1	1.4.4.11-2+deb11u1
debian 12	389-ds-base	>=0 <2.3.1-1	2.3.1-1
debian 13	389-ds-base	>=0 <2.3.1-1	2.3.1-1
rpm rhel6	389-ds-base	-	-
rpm rhel9	389-ds-base	<0:2.1.3-4.el9_1	0:2.1.3-4.el9_1
rpm rhel9.0	389-ds-base	<0:2.0.14-3.el9_0	0:2.0.14-3.el9_0
rpm rhel7	389-ds-base	<0:1.3.10.2-17.el7_9	0:1.3.10.2-17.el7_9

Aliases

1. CVE-2022-28502. NVD-2022-28503. OSV-DEBIAN-2022-28504. OSV-2022-28505. SECURITY-TRACKER-CVE-2022-2850

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.