Bug 979508 (CVE-2013-2219) - CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
Summary: CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
Alias: CVE-2013-2219
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 979410 (view as bug list)
Depends On: 979514 979515 979516 989682 989683
Blocks: 979512
TreeView+ depends on / blocked
Reported: 2013-06-28 17:06 UTC by Vincent Danen
Modified: 2023-05-12 15:23 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-20 10:40:00 UTC

Attachments (Terms of Use)
Patch (3.58 KB, patch)
2013-07-22 18:27 UTC, Nathan Kinder
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1116 0 normal SHIPPED_LIVE Moderate: redhat-ds-base security and bug fix update 2013-07-30 08:16:30 UTC
Red Hat Product Errata RHSA-2013:1119 0 normal SHIPPED_LIVE Moderate: 389-ds-base security and bug fix update 2013-07-30 20:57:57 UTC

Description Vincent Danen 2013-06-28 17:06:44 UTC
A flaw was found in how Red Hat Directory Server and the 389 Directory Server would handle access controls to certain attributes of an entry.  A user with access to the Directory Server could use a series of searches to guess the values of other attributes that they should not be able to see.  If a user had access (authenticated or anonymous, depending on whether or not the Directory Server allows anonymous access), they could use this to obtain information that should be restricted due to access controls.

Comment 2 Vincent Danen 2013-06-28 17:09:16 UTC

This issue was discovered by Ludwig Krispenz of Red Hat.

Comment 5 Nathan Kinder 2013-06-28 21:18:49 UTC
*** Bug 979410 has been marked as a duplicate of this bug. ***

Comment 13 Vincent Danen 2013-07-29 17:34:35 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 989683]

Comment 14 errata-xmlrpc 2013-07-30 04:18:28 UTC
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1116 https://rhn.redhat.com/errata/RHSA-2013-1116.html

Comment 15 errata-xmlrpc 2013-07-30 17:01:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1119 https://rhn.redhat.com/errata/RHSA-2013-1119.html

Comment 16 Fedora Update System 2013-08-30 23:03:06 UTC
389-ds-base- has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.