CVE-2020-35518
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-35518
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35518.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-35518
- Downstream
- Related
- Published
- 2021-03-26T17:15:12Z
- Modified
- 2025-10-15T12:19:18.766970Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
- References
Affected packages
Git / github.com/389ds/389-ds-base
Affected ranges
- Type
- GIT
- Repo
- https://github.com/389ds/389-ds-base
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
389-ds-base-1.*
389-ds-base-1.2.10.a1
389-ds-base-1.2.10.a2
389-ds-base-1.2.10.a3
389-ds-base-1.2.10.a4
389-ds-base-1.2.10.a5
389-ds-base-1.2.10.a6
389-ds-base-1.2.10.a7
389-ds-base-1.2.10.a8
389-ds-base-1.2.10.rc1
389-ds-base-1.2.11.a1
389-ds-base-1.2.3
389-ds-base-1.2.4
389-ds-base-1.2.5.a1
389-ds-base-1.2.5.rc1
389-ds-base-1.2.5.rc2
389-ds-base-1.2.5.rc3
389-ds-base-1.2.5.rc4
389-ds-base-1.2.6.a1
389-ds-base-1.2.6.a2
389-ds-base-1.2.6.a3
389-ds-base-1.2.6.a4
389-ds-base-1.2.6.rc1
389-ds-base-1.2.6.rc2
389-ds-base-1.2.6.rc3
389-ds-base-1.2.7
389-ds-base-1.2.7.1
389-ds-base-1.2.7.2
389-ds-base-1.2.7.3
389-ds-base-1.2.7.4
389-ds-base-1.2.7.a1
389-ds-base-1.2.7.a2
389-ds-base-1.2.7.a3
389-ds-base-1.2.7.a4
389-ds-base-1.2.7.a5
389-ds-base-1.2.8.a1
389-ds-base-1.2.8.a2
389-ds-base-1.2.9.0
389-ds-base-1.2.9.1
389-ds-base-1.2.9.2
389-ds-base-1.2.9.3
389-ds-base-1.2.9.4
389-ds-base-1.2.9.5
389-ds-base-1.2.9.a1
389-ds-base-1.2.9.a2
389-ds-base-1.3.0.a1
389-ds-base-1.3.0.rc1
389-ds-base-1.3.5.0
389-ds-base-1.3.5.1
389-ds-base-1.3.5.10
389-ds-base-1.3.5.11
389-ds-base-1.3.5.12
389-ds-base-1.3.5.13
389-ds-base-1.3.5.2
389-ds-base-1.3.5.3
389-ds-base-1.3.5.4
389-ds-base-1.3.5.5
389-ds-base-1.3.5.6
389-ds-base-1.3.5.7
389-ds-base-1.3.5.8
389-ds-base-1.3.5.9
389-ds-base-1.3.6.0
389-ds-base-1.3.6.1
389-ds-base-1.3.6.2
389-ds-base-1.3.6.3
389-ds-base-1.3.6.4
389-ds-base-1.3.7.0
389-ds-base-1.3.7.2
389-ds-base-1.3.7.3
389-ds-base-1.3.7.4
389-ds-base-1.4.0.0
389-ds-base-1.4.0.1
389-ds-base-1.4.0.10
389-ds-base-1.4.0.11
389-ds-base-1.4.0.12
389-ds-base-1.4.0.13
389-ds-base-1.4.0.14
389-ds-base-1.4.0.15
389-ds-base-1.4.0.16
389-ds-base-1.4.0.17
389-ds-base-1.4.0.18
389-ds-base-1.4.0.19
389-ds-base-1.4.0.2
389-ds-base-1.4.0.20
389-ds-base-1.4.0.3
389-ds-base-1.4.0.4
389-ds-base-1.4.0.5
389-ds-base-1.4.0.6
389-ds-base-1.4.0.7
389-ds-base-1.4.0.8
389-ds-base-1.4.0.9
389-ds-base-1.4.1.0
389-ds-base-1.4.1.1
389-ds-base-1.4.1.2
389-ds-base-1.4.1.3
389-ds-base-1.4.1.4
389-ds-base-1.4.1.5
389-ds-base-1.4.1.6
389-ds-base-1.4.2.1
389-ds-base-1.4.2.2
389-ds-base-1.4.2.3
389-ds-base-1.4.2.4
389-ds-base-1.4.2.5
389-ds-base-1.4.3.1
389-ds-base-1.4.3.2
389-ds-base-1.4.3.3
389-ds-base-1.4.3.4
389-ds-base-1.4.3.5
389-ds-base-1.4.4.0
389-ds-base-1.4.4.1
389-ds-base-1.4.4.2
389-ds-base-1.4.4.3
389-ds-base-1.4.4.4
389-ds-base-1.4.4.5
389-ds-base-1.4.5.0
389-ds-base-2.*
389-ds-base-2.0.0
389-ds-base-2.0.0.0
389-ds-base-2.0.1
389-ds-base-2.0.2
Other
Directory_Server_8_1_Candidate_20090324
FedoraDirSvr10
FedoraDirSvr110a1
FedoraDirSvr110a2
FedoraDirSvr110a3
FedoraDirSvr110a3_20070320
FedoraDirSvr110a4
FedoraDirSvr110a4_20070720
FedoraDirSvr110b1
FedoraDirSvr110b1_20070813
FedoraDirSvr110b1_20070816
FedoraDirSvr110b2
FedoraDirSvr110b2_20071107
FedoraDirSvr111
FedoraDirSvr111_20080530
FedoraDirSvr_1_1_2
FedoraDirSvr_1_1_2_20080904
FedoraDirSvr_1_1_2_RC
FedoraDirSvr_1_1_2_RC2
FedoraDirSvr_1_1_2_RC_20080828
FedoraDirSvr_1_1_3_20080923
FedoraDirSvr_20051103_RTC
before-merge-nunc-stans
ldapserver7x
Database specific
vanir_signatures
[
{
"id": "CVE-2020-35518-436b57f3",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"77052046725761742736191245757834080893",
"200062147893151783779674741567439343108",
"316338524811121582645806109786831299266",
"301003175346272026105771522178948211242"
],
"threshold": 0.9
},
"target": {
"file": "ldap/servers/slapd/back-ldbm/ldbm_config.c"
},
"source": "https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc"
},
{
"id": "CVE-2020-35518-6668af7b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"156327268525253698363660899521115683274",
"335402869101960669245776613554960002091",
"48679503366445529733574487735975941163",
"55275383875053882883620881562959351365",
"97793999284390048575770039265417524602",
"93437357065529380144791841150808323560",
"334210813283020886431060458429448003454",
"295683751000731501741412729082515590555",
"200895548605128804941227070130969920888",
"114568757203904273824644200368920260210",
"283960780581346130140347495791233769035",
"154052428143839224908335269617999166533"
],
"threshold": 0.9
},
"target": {
"file": "ldap/servers/slapd/dse.c"
},
"source": "https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32"
},
{
"id": "CVE-2020-35518-6dbc738f",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"231900200210085628883299799942067668579",
"293227023537761690832979670014535727304",
"529580841501224453670901892392782820",
"92938755121922726516016927907363779926",
"119176856061870748709409521201365395736"
],
"threshold": 0.9
},
"target": {
"file": "ldap/servers/slapd/back-ldbm/ldbm_bind.c"
},
"source": "https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32"
},
{
"id": "CVE-2020-35518-92c102ff",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "161568368649263161676050796206389097096",
"length": 5728.0
},
"target": {
"file": "ldap/servers/slapd/result.c",
"function": "send_ldap_result_ext"
},
"source": "https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc"
},
{
"id": "CVE-2020-35518-ae816c87",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "121539299605689041318853093154430367139",
"length": 2174.0
},
"target": {
"file": "ldap/servers/slapd/back-ldbm/ldbm_bind.c",
"function": "ldbm_back_bind"
},
"source": "https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32"
},
{
"id": "CVE-2020-35518-b1b7e320",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"93023770981467552284335591659520590179",
"160087572227559021620709316116632204265",
"283721859586959455658915352025728779039",
"189889751970639446926761919471682374906"
],
"threshold": 0.9
},
"target": {
"file": "ldap/servers/slapd/result.c"
},
"source": "https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc"
},
{
"id": "CVE-2020-35518-f7fbbd76",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "156790754977640553600549957926651256104",
"length": 1488.0
},
"target": {
"file": "ldap/servers/slapd/dse.c",
"function": "dse_bind"
},
"source": "https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32"
}
]