A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
Weakness
The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Directory_server | Redhat | 12.0 (including) | 12.0 (including) |
| 389_directory_server | Redhat | - (including) | - (including) |
| Enterprise_linux | Redhat | 9.0 (including) | 9.0 (including) |
| Red Hat Directory Server 12.4 for RHEL 9 | RedHat | redhat-ds:12-9040020240723122852.1674d574 | * |
| Red Hat Enterprise Linux 9 | RedHat | 389-ds-base-0:2.4.5-9.el9_4 | * |
| 389-ds-base | Ubuntu | focal | * |
| 389-ds-base | Ubuntu | mantic | * |
| 389-ds-base | Ubuntu | upstream | * |
References
- https://access.redhat.com/errata/RHSA-2024:4997
- https://access.redhat.com/errata/RHSA-2024:5192
- https://access.redhat.com/security/cve/CVE-2024-6237
- https://bugzilla.redhat.com/show_bug.cgi?id=2293579
- https://github.com/389ds/389-ds-base/issues/5989
- https://access.redhat.com/security/cve/CVE-2024-6237
- https://bugzilla.redhat.com/show_bug.cgi?id=2293579
- https://github.com/389ds/389-ds-base/issues/5989