Insufficient Fix for Server Crash Vulnerability in 389-ds-base
CVE-2024-8445

5.7MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Red Hat Directory Server 11
Red Hat Directory Server 12
Red Hat Enterprise Linux 6
Vendor
CVE Published:
5 September 2024

Summary

An insufficient input validation vulnerability exists in Red Hat 389 Directory Server (389-ds-base), which allows authenticated users to cause a server crash. This vulnerability arises when an authenticated user attempts to modify the userPassword attribute using malformed input. The fix for a previous vulnerability (CVE-2024-2199) did not address all potential scenarios, leaving certain versions of the server susceptible to this issue. It is crucial for users to be aware of this risk and to apply the necessary updates to ensure the security and stability of their deployment.

Affected Version(s)

Red Hat Enterprise Linux 7 Extended Lifecycle Support 0:1.3.11.1-7.el7_9

References

https://access.redhat.com/errata/RHSA-2024:7434
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-8445
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2310110
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.