Vulnerabilities > CVE-2022-1949 - Authorization Bypass Through User-Controlled Key vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

NVD

Published: 2022-06-02

Updated: 2023-08-08

Summary

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Vulnerable Configurations

Part	Description	Count
Application	Port389 Port389 389 DS Base 1.4.0	1
Application	Redhat Redhat Directory Server 11.0 Redhat Directory Server 12.0	2
OS	Redhat Redhat Enterprise Linux 8.0 Redhat Enterprise Linux 9.0	2
OS	Fedoraproject Fedoraproject Fedora 34 Fedoraproject Fedora 35 Fedoraproject Fedora 36	3

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://bugzilla.redhat.com/show_bug.cgi?id=2091781