Candidate: CVE-2020-35518
PublicDate: 2021-03-26 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35518
 https://bugzilla.redhat.com/show_bug.cgi?id=1905565
 https://github.com/389ds/389-ds-base/issues/4480
Description:
 When binding against a DN during authentication, the reply from 389-ds-base
 will be different whether the DN exists or not. This can be used by an
 unauthenticated attacker to check the existence of an entry in the LDAP
 database.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_389-ds-base:
 upstream: https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc (master)
 upstream: https://github.com/389ds/389-ds-base/commit/38b97faef8a6421a7a638ecdbf0b341e2b3f9ab3 (1.4.4)
 upstream: https://github.com/389ds/389-ds-base/commit/c8e77b811b2f07a71c9cd0058a83e77e47edcd72 (1.4.3)
 upstream: https://github.com/389ds/389-ds-base/commit/16d9020a8ae1bd5ed1fd7ca1ad8041c889a88c1f (1.4.2)
upstream_389-ds-base: released (1.4.2.17, 1.4.3.18, 1.4.4.10, 2.0.2)
precise/esm_389-ds-base: DNE
trusty_389-ds-base: ignored (out of standard support)
trusty/esm_389-ds-base: DNE (trusty was not-affected [code not present])
xenial_389-ds-base: ignored (end of standard support, was not-affected [code not present])
bionic_389-ds-base: not-affected (code not present)
focal_389-ds-base: needed
groovy_389-ds-base: ignored (reached end-of-life)
hirsute_389-ds-base: not-affected (1.4.4.11-1)
impish_389-ds-base: not-affected (1.4.4.11-2build1)
jammy_389-ds-base: needs-triage
devel_389-ds-base: needs-triage