The access control is not working for specific search filter
Environment
Red Hat Directory Server 8
Red Hat Directory Server 9
Red Hat Enterprise Linux 6
Issue
With a specific ACI deployment and binding as a specific user, the entries returned differ depending on the used search filter as follows:
(givenname=test*) ==> returns no entries
(sn=test*) ==> returns two entries
(|(givenname=test*)(sn=test*)) ==> returns three entries
(|(sn=test*)(givenname=test*)) ==> returns three entries
Where only the two entries returned by (sn=test*) should be returned.
Resolution
This issue has been assigned the Common Vulnerabilities and Exposures ID CVE-2013-2219 and has been addressed in Red Hat Directory Server 8 for RHEL 5 by the security advisory RHSA-2013:1116.
In Red Hat Directory Server 9 and Red Hat Enterprise Linux 6 it is addressed by the security advisory RHSA-2013:1119.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments