{
  "threat_severity" : "Important",
  "public_date" : "2015-04-28T00:00:00Z",
  "bugzilla" : {
    "description" : "389-ds-base: access control bypass with modrdn",
    "id" : "1209573",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1209573"
  },
  "cvss" : {
    "cvss_base_score" : "4.8",
    "cvss_scoring_vector" : "AV:A/AC:L/Au:N/C:N/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-697->CWE-863",
  "details" : [ "389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call.", "A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server." ],
  "statement" : "This issue does not affect the version of 389-ds-base package as shipped with Red Hat Enterprise Linux 6.",
  "acknowledgement" : "This issue was discovered by Simo Sorce (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-04-28T00:00:00Z",
    "advisory" : "RHSA-2015:0895",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "389-ds-base-0:1.3.3.1-16.el7_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Directory Server 8",
    "fix_state" : "Not affected",
    "package_name" : "redhat-ds-base",
    "cpe" : "cpe:/a:redhat:directory_server:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "389-ds-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-1854\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1854" ],
  "name" : "CVE-2015-1854",
  "csaw" : false
}