Red Hat Directory Server

389-ds-base Heap Buffer Overflow in schema_attr_enum_callback
CVE-2025-14905 7.2 - High - February 23, 2026

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Heap-based Buffer Overflow

crossbeam-channel: Drop race may lead to double-free (CVE-2025-4574)
CVE-2025-4574 6.5 - Medium - May 13, 2025

In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.

Double-free

OpenSSL Use-After-Free via properties arg leads to UDB
CVE-2025-3416 3.7 - Low - April 08, 2025

A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.

Dangling pointer

Apache Directory Server 389-ds-base ModifyDN NULL Pointer DoS
CVE-2025-2487 4.9 - Medium - March 18, 2025

A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.

NULL Pointer Dereference

389DS Crash via Malformed userPassword Input
CVE-2024-8445 5.7 - Medium - September 05, 2024

The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input.

Improper Input Validation

CVE-2024-6237: 389 Directory Server Unauth Extended Search DoS
CVE-2024-6237 6.5 - Medium - July 09, 2024

A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.

Improper Handling of Missing Values

389-ds-base LDAP DoS via Malformed Hash Login
CVE-2024-5953 5.7 - Medium - June 18, 2024

A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.

Improper Validation of Consistency within Input

389 DS LDAP Crafted Query DoS
CVE-2024-3657 7.5 - High - May 28, 2024

A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service

Improper Input Validation

389 DS LDAP Auth DoS via Malformed userPassword Mod
CVE-2024-2199 5.7 - Medium - May 28, 2024

A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.

Improper Input Validation

389 Directory Server DOS via Heap Overflow in log_entry_attr
CVE-2024-1062 5.5 - Medium - February 12, 2024

A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

Heap-based Buffer Overflow

Red Hat Directory Server LDAP password decode flaw leaks hashed creds
CVE-2023-1055 5.5 - Medium - February 27, 2023

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.

Improper Certificate Validation

389 Directory Server NULL Pointer Deref via ContentSync Plugin DoS
CVE-2022-2850 6.5 - Medium - October 14, 2022

A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

NULL Pointer Dereference

An access control bypass vulnerability found in 389-ds-base
CVE-2022-1949 7.5 - High - June 02, 2022

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Insecure Direct Object Reference / IDOR

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not
CVE-2020-35518 5.3 - Medium - March 26, 2021

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Side Channel Attack

Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled
CVE-2014-3562 - August 21, 2014

Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query
CVE-2008-1677 - May 12, 2008

Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query that triggers the overflow during translation to a regular expression.

The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5
CVE-2008-0892 - April 16, 2008

The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, allows remote attackers to execute arbitrary commands.

Improper Input Validation