CVE-2020-12243 — HIGH (7.5)

Q: What is CVE-2020-12243?

CVE-2020-12243 is a vulnerability with a CVSS score of 7.5 (HIGH). In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

Q: How severe is CVE-2020-12243?

CVE-2020-12243 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-12243?

Check the references section above for vendor advisories and patch information. Affected products include: Openldap Openldap, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Netapp Cloud Backup.

Vulnerability Description

In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openldap	Openldap	< 2.4.50
Debian	Debian Linux	8.0
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	12.04
Netapp	Cloud Backup	-
Netapp	Steelstore Cloud Integrated Storage	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H300E Firmware	-
Netapp	H300E	-
Netapp	H500E Firmware	-
Netapp	H500E	-
Netapp	H700E Firmware	-
Netapp	H700E	-

Related Weaknesses (CWE)

CWE-674

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.htmlMailing ListThird Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9202ExploitPatchVendor Advisory
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGESRelease NotesVendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294baPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00001.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200511-0003/Third Party Advisory
https://support.apple.com/kb/HT211289Third Party Advisory
https://usn.ubuntu.com/4352-1/Third Party Advisory
https://usn.ubuntu.com/4352-2/Third Party Advisory
https://www.debian.org/security/2020/dsa-4666Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.htmlMailing ListThird Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9202ExploitPatchVendor Advisory
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGESRelease NotesVendor Advisory

FAQ

What is CVE-2020-12243?

CVE-2020-12243 is a vulnerability with a CVSS score of 7.5 (HIGH). In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).

How severe is CVE-2020-12243?

CVE-2020-12243 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-12243?

Check the references section above for vendor advisories and patch information. Affected products include: Openldap Openldap, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Netapp Cloud Backup.