Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 849401 (CVE-2022-1949) - <net-nds/389-ds-base-2.3.2: access control bypass vulnerability
Summary: <net-nds/389-ds-base-2.3.2: access control bypass vulnerability
Status: CONFIRMED
Alias: CVE-2022-1949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/389ds/389-ds-base/...
Whiteboard: ~4 [noglsa cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-02 22:02 UTC by John Helmert III
Modified: 2024-02-10 05:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 22:02:28 UTC
CVE-2022-1949:

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2091781

There are some PRs upstream with potential fixes: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 00:41:49 UTC
If I'm reading this git spaghetti correctly, it looks like this made it into 2.0.16, 2.1.2, and 2.2.2