{
  "threat_severity" : "Important",
  "public_date" : "2019-11-04T09:14:00Z",
  "bugzilla" : {
    "description" : "389-ds-base: Read permission check bypass via the deref plugin",
    "id" : "1747448",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1747448"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-732",
  "details" : [ "A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.", "A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes." ],
  "statement" : "This vulnerability is rated Important when use in a IdM/IPA environment, where an ACI installed by default allows an authenticated attacker to use this flaw to retrieve the userPassword attribute of any user.",
  "acknowledgement" : "Red Hat would like to thank Gerald Vogt (Deutsches Klimarechenzentrum) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2019-11-26T00:00:00Z",
    "advisory" : "RHSA-2019:3981",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "389-ds-base-0:1.3.9.1-12.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-11-05T00:00:00Z",
    "advisory" : "RHSA-2019:3401",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "389-ds:1.4-8010020190903200205.eb48df33"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions",
    "release_date" : "2020-02-10T00:00:00Z",
    "advisory" : "RHSA-2020:0464",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.0",
    "package" : "389-ds:1.4-8000020191107193846.187e9a3f"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "389-ds-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14824\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14824\nhttps://pagure.io/389-ds-base/issue/50716" ],
  "name" : "CVE-2019-14824",
  "csaw" : false
}