QwikSec

Security Database

CVE

CWE

Training

CVE-2019-3883

Published: Apr 17, 2019

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.0

5.3

MEDIUM

Description

In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.

Vendor	Product	Versions
Red Hat	389-ds-base	affected `affects up to 1.4.1.2`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

[debian-lts-announce] 20190506 [SECURITY] [DLA 1779-1] 389-ds-base security update

mailing-list

vendor-advisory

vendor-advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3883

https://pagure.io/389-ds-base/issue/50329

https://pagure.io/389-ds-base/pull-request/50331

[debian-lts-announce] 20230424 [SECURITY] [DLA 3399-1] 389-ds-base security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.