Vulnerability Details : CVE-2018-14624
A vulnerability was discovered in 389-ds-base through versions 1.3.7.10, 1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.
Vulnerability category: Input validation
Products affected by CVE-2018-14624
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- Fedoraproject » 389 Directory ServerVersions from including (>=) 1.3.8.0 and up to, including, (<=) 1.3.8.8cpe:2.3:a:fedoraproject:389_directory_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:389_directory_server:*:*:*:*:*:*:*:*
- Fedoraproject » 389 Directory ServerVersions from including (>=) 1.4.0.0 and up to, including, (<=) 1.4.0.16cpe:2.3:a:fedoraproject:389_directory_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14624
1.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14624
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2018-14624
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2018-14624
-
https://pagure.io/389-ds-base/issue/49937
Issue #49937: Crash in vslapd_log_emergency_error - 389-ds-base - Pagure.ioExploit;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2757
RHSA-2018:2757 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00037.html
[SECURITY] [DLA 1526-1] 389-ds-base security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14624
1619450 – (CVE-2018-14624) CVE-2018-14624 389-ds-base: Server crash through modify command with large DNExploit;Issue Tracking;Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00033.html
[security-announce] openSUSE-SU-2019:1397-1: important: Security update
Jump to