Vulnerability Name:

CVE-2014-9713

Assigned:2015-03-29
Published:2015-04-01
Updated:2016-12-21
Summary:The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.
CVSS v3 Severity:3.5 Low (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
References:Source: DEBIAN
Type: VENDOR_ADVISORY
http://www.debian.org/security/2015/dsa-3209

Source: MLIST
Type: UNKNOWN
http://www.openwall.com/lists/oss-security/2015/03/29/2

Source: BID
Type: UNKNOWN
73217

Source: UBUNTU
Type: UNKNOWN
http://www.ubuntu.com/usn/USN-2742-1

Source: CONFIRM
Type: UNKNOWN
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openldap:openldap:2.4.23:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.24:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.25:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.26:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.27:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.28:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.29:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.30:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.31:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.32:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.33:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.34:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.35:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.36:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.37:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.38:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.39:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.cisecurity:def:224
    P
    DSA-3209-1 -- openldap -- security update
    2016-02-08
    oval:com.ubuntu.precise:def:20149713000
    V
    CVE-2014-9713 on Ubuntu 12.04 LTS (precise) - low.
    2015-04-01
    oval:com.ubuntu.trusty:def:20149713000
    V
    CVE-2014-9713 on Ubuntu 14.04 LTS (trusty) - low.
    2015-04-01
    BACK
    openldap openldap 2.4.23
    openldap openldap 2.4.24
    openldap openldap 2.4.25
    openldap openldap 2.4.26
    openldap openldap 2.4.27
    openldap openldap 2.4.28
    openldap openldap 2.4.29
    openldap openldap 2.4.30
    openldap openldap 2.4.31
    openldap openldap 2.4.32
    openldap openldap 2.4.33
    openldap openldap 2.4.34
    openldap openldap 2.4.35
    openldap openldap 2.4.36
    openldap openldap 2.4.37
    openldap openldap 2.4.38
    openldap openldap 2.4.39
    debian debian_linux 7.0