Vulnerability Name:

CVE-2013-4485 (CCN-89158)

Assigned:2013-10-29
Published:2013-10-29
Updated:2019-04-22
Summary:389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request.
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2013-4485

Source: CCN
Type: 389 Directory Server Web site
389 Directory Server (Open Source LDAP)

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1752

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1753

Source: CCN
Type: oss-sec Mailing List, Thu, 21 Nov 2013 08:15:07 -0700
389-ds DoS due to improper handling of ger attr searches (CVE-2013-4485)

Source: CCN
Type: SA55719
389 Directory Server GER Access Right Verification Denial of Service Vulnerability

Source: SECUNIA
Type: Vendor Advisory
55765

Source: CCN
Type: OSVDB ID: 100110
Red Hat Directory Server / 389 Directory Server Get Effective Rights (GER) Search Query Handling Remote DoS

Source: CCN
Type: BID-63850
389 Directory Server CVE-2013-4485 Denial of Service Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 1024552
CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches

Source: XF
Type: UNKNOWN
389directoryserver-cve20134485-dos(89158)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4485

Vulnerable Configuration:Configuration 1:
  • cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:fedoraproject:389_directory_server:1.2.11.15:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:directory_server:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:directory_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:directory_server:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:directory_server:*:*:*:*:*:*:*:* (Version <= 8.2)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:fedoraproject:389_directory_server:1.3.2.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:26944
    P
    		ELSA-2013-1752 -- 389-ds-base security update (important)
    2014-12-15
    oval:org.mitre.oval:def:27153
    P
    		RHSA-2013:1752 -- 389-ds-base security update (Important)
    2014-12-08
    oval:com.ubuntu.precise:def:20134485000
    V
    		CVE-2013-4485 on Ubuntu 12.04 LTS (precise) - medium.
    2013-11-23
    oval:com.ubuntu.trusty:def:20134485000
    V
    		CVE-2013-4485 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-11-23
    oval:com.ubuntu.xenial:def:201344850000000
    V
    		CVE-2013-4485 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-11-23
    oval:com.ubuntu.xenial:def:20134485000
    V
    		CVE-2013-4485 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-11-23
    oval:com.redhat.rhsa:def:20131752
    P
    		RHSA-2013:1752: 389-ds-base security update (Important)
    2013-11-21
    BACK
    redhat enterprise linux 6.0
    fedoraproject 389 directory server 1.2.11.15
    redhat directory server 7.1
    redhat directory server 8.0
    redhat directory server 8.1
    redhat directory server *
    fedoraproject 389 directory server 1.3.2.2