Vulnerability Name:

CVE-2020-36225 (CCN-195554)

Assigned:2021-01-18
Published:2021-01-18
Updated:2022-04-13
Summary:A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-415
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-36225

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210526 APPLE-SA-2021-05-25-4 Security Update 2021-003 Catalina

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210526 APPLE-SA-2021-05-25-3 Security Update 2021-004 Mojave

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210526 APPLE-SA-2021-05-25-2 macOS Big Sur 11.4

Source: CCN
Type: OpenLDAP Issue Tracking System - Issue 9412
Packet crashes openldap due to double free, related to saslAuthzTo

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://bugs.openldap.org/show_bug.cgi?id=9412

Source: XF
Type: UNKNOWN
openldap-cve202036225-dos(195554)

Source: MISC
Type: Patch, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/554dff1927176579d652f2fe60c90e9abbad4c65

Source: MISC
Type: Patch, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26

Source: MISC
Type: Patch, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/c0b61a9486508e5202aa2e0cfb68c9813731b439

Source: MISC
Type: Patch, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/d169e7958a3e0dc70f59c8374bf8a59833b7bdd8

Source: MISC
Type: Release Notes, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210203 [SECURITY] [DLA 2544-1] openldap security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/

Source: CCN
Type: Apple security document HT212529
About the security content of macOS Big Sur 11.4

Source: CCN
Type: Apple security document HT212530
About the security content of Security Update 2021-003 Catalina

Source: CCN
Type: Apple security document HT212531
About the security content of Security Update 2021-004 Mojave

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212529

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212530

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212531

Source: DEBIAN
Type: Third Party Advisory
DSA-4845

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: OpenLDAP Web site
OpenLDAP

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-36225

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openldap:openldap:*:*:*:*:*:*:*:* (Version < 2.4.57)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.4)

  • Configuration CCN 1:
  • cpe:/a:openldap:openldap:2.4.56:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8047
    P
    openldap2-devel-32bit-2.4.46-150200.14.11.2 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7609
    P
    libldap-2_4-2-2.4.46-150200.14.11.2 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3024
    P
    bind-9.11.2-3.10.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3412
    P
    yast2-core-3.3.1-1.7 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3574
    P
    libapr1-1.5.1-4.5.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95042
    P
    openldap2-devel-32bit-2.4.46-150200.14.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94686
    P
    libpcsclite1-1.9.4-150400.1.9 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94947
    P
    libid3tag0-0.15.1b-3.14 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94654
    P
    libldap-2_4-2-2.4.46-150200.14.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:1080
    P
    Security update for ImageMagick (Moderate) (in QA)
    2022-06-16
    oval:org.opensuse.security:def:151
    P
    libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:102305
    P
    Security update for the Linux Kernel (Important)
    2022-04-13
    oval:org.opensuse.security:def:101660
    P
    Security update for python-lxml (Important)
    2022-03-10
    oval:org.opensuse.security:def:93324
    P
    (Important)
    2022-03-04
    oval:org.opensuse.security:def:99214
    P
    (Moderate)
    2022-02-21
    oval:org.opensuse.security:def:4538
    P
    Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP5) (Important)
    2021-12-14
    oval:org.opensuse.security:def:102226
    P
    Security update for xen (Moderate)
    2021-12-07
    oval:org.opensuse.security:def:99411
    P
    (Important)
    2021-09-02
    oval:org.opensuse.security:def:101399
    P
    sblim-sfcb-1.4.9-5.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63098
    P
    openldap2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2009
    P
    openldap2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:71910
    P
    libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1939
    P
    openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72747
    P
    openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100927
    P
    libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62169
    P
    libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101286
    P
    openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63028
    P
    openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:45072
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:38257
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:46053
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:42797
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:40642
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:37512
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:41623
    P
    Security update for openldap2 (Important)
    2021-04-16
    oval:org.opensuse.security:def:111263
    P
    Security update for openldap2 (Important)
    2021-03-14
    oval:org.opensuse.security:def:92069
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:67054
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:8908
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:97271
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:95592
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:92859
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:100379
    P
    (Important)
    2021-03-08
    oval:org.opensuse.security:def:76122
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:70000
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:99610
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:9860
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:108892
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:5965
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:117840
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:92264
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:67554
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:99019
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:9103
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:93018
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:70357
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:99809
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:10217
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:64663
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:108971
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:6465
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:117894
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:92461
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:73785
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:69603
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:9463
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:108065
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:93171
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:70551
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:100121
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:10411
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:65627
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:8714
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:95513
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:92660
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:74695
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:69801
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:9661
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:108326
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:117579
    P
    Security update for openldap2 (Important)
    2021-03-08
    oval:org.opensuse.security:def:39265
    P
    Security update for openldap2 (Important)
    2021-03-04
    oval:org.opensuse.security:def:43695
    P
    Security update for openldap2 (Important)
    2021-03-04
    oval:org.opensuse.security:def:28947
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:23186
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:89513
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:59858
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:85816
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:125664
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:55303
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:31739
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:51174
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:24031
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:20718
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:88258
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:58091
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:83242
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:34035
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:52019
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:29480
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:23754
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:60468
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:86203
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:126831
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:55858
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:81114
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:4752
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:32268
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:51742
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:24062
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:21420
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:88575
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:58914
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:84278
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:34645
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:52050
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:30035
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:49189
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:23755
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:86732
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:127228
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:57175
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:82154
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:5190
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:33091
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:51743
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:26203
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:23185
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:89255
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:59600
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:84736
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:125663
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:54770
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:31352
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:51173
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:24030
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:87555
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:57562
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:82687
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:33777
    P
    Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:52018
    P
    Security update for openldap2 (Important)
    2021-03-03
    BACK
    openldap openldap *
    debian debian linux 9.0
    debian debian linux 10.0
    apple macos *
    openldap openldap 2.4.56
    ibm cloud pak for security 1.7.2.0