Vulnerability-Lookup

CERTA-2003-AVI-004

Vulnerability from certfr_avis - Published: 2003-01-16 - Updated: 2003-02-07

None

Description

OpenLDAP est une implémentation de LDAP (Lightweight Directory Access Protocol).

Plusieurs vulnérabilités présentes dans le paquetage OpenLDAP permettent à un utilisateur mal intentionné d'exécuter du code arbitraire à distance sur une machine hébergeant un serveur LDAP vulnérable.

De plus, la bibliothèque OpenLDAP2 contient d'autres vulnérabilités exploitables en local.

Solution

Se référer aux bulletins de sécurité des différents éditeurs pour connaître la disponibilité des correctifs (cf. section Documentation).

OpenLDAP version 2.0.25 et antérieures.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité MDKSA-2003:006 de Mandrake	None	vendor-advisory
Bulletin de sécurité SuSE-SA:2002:047 de SuSE	None	vendor-advisory
Bulletin de sécurité DSA-227 de Debian	None	vendor-advisory
Site de OpenLDAP :	-	other
Bulletin de sécurité RHSA-2003:040 de Red Hat :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eOpenLDAP version 2.0.25 et ant\u00e9rieures.\u003c/p\u003e",
  "content": "## Description\n\nOpenLDAP est une impl\u00e9mentation de LDAP (Lightweight Directory Access\nProtocol).\n\nPlusieurs vuln\u00e9rabilit\u00e9s pr\u00e9sentes dans le paquetage OpenLDAP permettent\n\u00e0 un utilisateur mal intentionn\u00e9 d\u0027ex\u00e9cuter du code arbitraire \u00e0\ndistance sur une machine h\u00e9bergeant un serveur LDAP vuln\u00e9rable.\n\nDe plus, la biblioth\u00e8que OpenLDAP2 contient d\u0027autres vuln\u00e9rabilit\u00e9s\nexploitables en local.\n\n## Solution\n\nSe r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 des diff\u00e9rents \u00e9diteurs pour\nconna\u00eetre la disponibilit\u00e9 des correctifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2003-01-16T00:00:00",
  "last_revision_date": "2003-02-07T00:00:00",
  "links": [
    {
      "title": "Site de OpenLDAP :",
      "url": "http://www.openldap.org"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RHSA-2003:040 de Red Hat :",
      "url": "http://rhn.redhat.com/errata/RHSA-2003-040.html"
    }
  ],
  "reference": "CERTA-2003-AVI-004",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2003-01-16T00:00:00.000000"
    },
    {
      "description": "Ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 RHSA-2003:040 de Red Hat.",
      "revision_date": "2003-02-07T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": null,
  "title": "Vuln\u00e9rabilit\u00e9 dans OpenLDAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 MDKSA-2003:006 de Mandrake",
      "url": "http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:006"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SuSE-SA:2002:047 de SuSE",
      "url": "http://www.suse.com/de/security/2002_047_openldap2.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 DSA-227 de Debian",
      "url": "http://www.debian.org/security/2003/dsa-227"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted