CVE-2019-14824

NameCVE-2019-14824
DescriptionA flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2004-1, DLA-3399-1
Debian Bugs944150

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
389-ds-base (PTS)jessie, jessie (lts)1.3.3.5-4+deb8u7fixed
stretch1.3.5.17-2vulnerable
buster (security), buster, buster (lts)1.4.0.21-1+deb10u1fixed
bullseye1.4.4.11-2fixed
bookworm2.3.1+dfsg1-1fixed
sid, trixie3.1.1+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
389-ds-basesourcewheezy(unfixed)end-of-life
389-ds-basesourcejessie1.3.3.5-4+deb8u7DLA-2004-1
389-ds-basesourcebuster1.4.0.21-1+deb10u1DLA-3399-1
389-ds-basesource(unstable)1.4.2.4-1944150

Notes

[stretch] - 389-ds-base <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1747448
https://pagure.io/freeipa/issue/8050
https://github.com/389ds/389-ds-base/issues/3771
Search for package or bug name: Reporting problems