A vulnerability was found in 389-ds-base : the `deref` plugin is checking for either READ or SEARCH permission for dereferencing an attribute. This means that the SEARCH permission is sufficient to display an attribute via the plugin. This is relevant in particular in IdM/IPA environment, where a default ACI ("Search existence of password and kerberos keys") in set. This leads to dereferencing able to display userPassword content or any users.
Acknowledgments: Name: Gerald Vogt (Deutsches Klimarechenzentrum)
Statement: This vulnerability is rated Important when use in a IdM/IPA environment, where an ACI installed by default allows an authenticated attacker to use this flaw to retrieve the userPassword attribute of any user.
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1768373]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3401 https://access.redhat.com/errata/RHSA-2019:3401
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14824
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3981 https://access.redhat.com/errata/RHSA-2019:3981
Upstream patch: https://pagure.io/389-ds-base/c/ddbe3c8fe
External References: https://pagure.io/389-ds-base/issue/50716
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0464 https://access.redhat.com/errata/RHSA-2020:0464