[Pkg-freeipa-devel] Bug#1016446: 389-ds-base: CVE-2022-1949
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 29 09:15:45 GMT 2022
Control: severity -1 grave
On Sun, Jul 31, 2022 at 09:35:33PM +0200, Moritz Mühlenhoff wrote:
> Source: 389-ds-base
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for 389-ds-base.
>
> CVE-2022-1949[0]:
> | An access control bypass vulnerability found in 389-ds-base. That
> | mishandling of the filter that would yield incorrect results, but as
> | that has progressed, can be determined that it actually is an access
> | control bypass. This may allow any remote unauthenticated user to
> | issue a filter that allows searching for database items they do not
> | have access to, including but not limited to potentially userPassword
> | hashes and other sensitive data.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2091781
> https://github.com/389ds/389-ds-base/issues/5170
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-1949
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1949
>
> Please adjust the affected versions in the BTS as needed.
The fix for this issue seems included in 2.0.16 upstream. Can you make
sure the fix land in bookworm?
Regards,
Salvatore
More information about the Pkg-freeipa-devel
mailing list