Use-after-free Vulnerability in Novell eDirectory NCP Feature
CVE-2008-5038

9.8CRITICAL

Key Information:

Vendor

Novell
Status
Edirectory
Vendor
CVE Published:
12 November 2008

What is CVE-2008-5038?

A use-after-free vulnerability exists in the NetWare Core Protocol (NCP) feature of Novell eDirectory, impacting versions 8.7.3 SP10 prior to FTF1 and 8.8 SP2 for Windows. This flaw allows remote attackers to exploit the system, potentially leading to denial of service or execution of arbitrary code. The issue arises from a detrimental sequence of 'Get NCP Extension Information By Name' requests, which cause a thread to act on freed memory in another thread, resulting in memory corruption and instability in the service.

References

http://www.novell.com/support/viewContent.do?externalId=3...
x_refsource_CONFIRM
http://labs.idefense.com/intelligence/vulnerabilities/dis...
third-party-advisoryx_refsource_IDEFENSE
http://support.novell.com/docs/Readmes/InfoDocument/patch...
x_refsource_CONFIRM

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.