CVE-2022-1949

EPSS 0.51%
Published 02.06.2022 14:15:34
Last modified 13.12.2024 18:47:19
Source secalert@redhat.com
Teams watchlist Login
Open Login

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ 389 Directory Server Version >= 1.3.0.0 <= 2.0.0

Redhat ≫ Directory Server Version11.0

Redhat ≫ Directory Server Version12.0

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Version9.0

Fedoraproject ≫ Fedora Version34

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.51%	0.654

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://bugzilla.redhat.com/show_bug.cgi?id=2091781

Patch

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2022-1949

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1949

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1949

EUVD