Vulnerability Details : CVE-2021-4091
A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.
Vulnerability category: Memory Corruption
Products affected by CVE-2021-4091
- cpe:2.3:o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:port389:389-ds-base:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-4091
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-4091
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-4091
-
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-4091
-
https://bugzilla.redhat.com/show_bug.cgi?id=2030307
2030307 – (CVE-2021-4091) CVE-2021-4091 389-ds-base: double-free of the virtual attribute context in persistent searchIssue Tracking;Patch;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
[SECURITY] [DLA 3399-1] 389-ds-base security update
Jump to