Vulnerability Details : CVE-2008-2952
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
Vulnerability category: Denial of service
Products affected by CVE-2008-2952
- cpe:2.3:a:openldap:openldap:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.39:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.34:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.35:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.41:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.42:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.38:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.33:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.40:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.36:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.37:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.43:*:*:*:*:*:*:*
- cpe:2.3:a:openldap:openldap:2.3.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2952
82.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2952
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2008-2952
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-2952
-
http://www.securityfocus.com/archive/1/495320/100/0/threaded
-
http://www.vupen.com/english/advisories/2008/1978/references
Site en constructionVendor Advisory
-
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580
5580 – BER Decoding Remote DoS Vulnerability
-
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00129.html
[SECURITY] Fedora 9 Update: openldap-2.4.8-6.fc9
-
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.html
502 Bad Gateway
-
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00109.html
[SECURITY] Fedora 8 Update: openldap-2.3.39-4.fc8
-
http://www.openwall.com/lists/oss-security/2008/07/13/2
oss-security - Re: openldap DoS
-
http://www.ubuntu.com/usn/usn-634-1
USN-634-1: OpenLDAP vulnerability | Ubuntu security notices | Ubuntu
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/43515
OpenLDAP ber_get_next function denial of service CVE-2008-2952 Vulnerability Report
-
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580
-
http://www.vupen.com/english/advisories/2008/2268
Webmail: access your OVH emails on ovhcloud.com | OVHcloudVendor Advisory
-
http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
-
http://security.gentoo.org/glsa/glsa-200808-09.xml
OpenLDAP: Denial of Service vulnerability (GLSA 200808-09) — Gentoo security
-
https://issues.rpath.com/browse/RPL-2645
-
http://wiki.rpath.com/Advisories:rPSA-2008-0249
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10662
404 Not Found
-
http://www.debian.org/security/2008/dsa-1650
[SECURITY] [DSA 1650-1] New openldap2.3 packags fix denial of service
-
http://www.securityfocus.com/bid/30013
-
http://www.redhat.com/support/errata/RHSA-2008-0583.html
Support
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:144
Mandriva
-
http://www.securitytracker.com/id?1020405
Access Denied
-
http://www.zerodayinitiative.com/advisories/ZDI-08-052/
ZDI-08-052 | Zero Day Initiative
-
http://www.openwall.com/lists/oss-security/2008/07/01/2
oss-security - Re: openldap DoS
Jump to