Vulnerability Description
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | 389 Directory Server | >= 1.3.0.0, <= 2.0.0 |
| Redhat | Directory Server | 11.0 |
| Redhat | Enterprise Linux | 8.0 |
| Fedoraproject | Fedora | 34 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2091781Issue TrackingPatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2091781Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2022-1949?
CVE-2022-1949 is a vulnerability with a CVSS score of 7.5 (HIGH). An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an acc...
How severe is CVE-2022-1949?
CVE-2022-1949 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1949?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat 389 Directory Server, Redhat Directory Server, Redhat Enterprise Linux, Fedoraproject Fedora.