CVE-2008-2952

Current Description

liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.

Basic Data

PublishedJuly 01, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-399
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOpenldapOpenldap2.2.4*******
    2.3ApplicationOpenldapOpenldap2.2.5*******
    2.3ApplicationOpenldapOpenldap2.2.6*******
    2.3ApplicationOpenldapOpenldap2.2.7*******
    2.3ApplicationOpenldapOpenldap2.2.8*******
    2.3ApplicationOpenldapOpenldap2.2.9*******
    2.3ApplicationOpenldapOpenldap2.3.4*******
    2.3ApplicationOpenldapOpenldap2.3.5*******
    2.3ApplicationOpenldapOpenldap2.3.6*******
    2.3ApplicationOpenldapOpenldap2.3.7*******
    2.3ApplicationOpenldapOpenldap2.3.8*******
    2.3ApplicationOpenldapOpenldap2.3.9*******
    2.3ApplicationOpenldapOpenldap2.3.10*******
    2.3ApplicationOpenldapOpenldap2.3.11*******
    2.3ApplicationOpenldapOpenldap2.3.12*******
    2.3ApplicationOpenldapOpenldap2.3.13*******
    2.3ApplicationOpenldapOpenldap2.3.14*******
    2.3ApplicationOpenldapOpenldap2.3.15*******
    2.3ApplicationOpenldapOpenldap2.3.16*******
    2.3ApplicationOpenldapOpenldap2.3.17*******
    2.3ApplicationOpenldapOpenldap2.3.18*******
    2.3ApplicationOpenldapOpenldap2.3.19*******
    2.3ApplicationOpenldapOpenldap2.3.20*******
    2.3ApplicationOpenldapOpenldap2.3.21*******
    2.3ApplicationOpenldapOpenldap2.3.22*******
    2.3ApplicationOpenldapOpenldap2.3.23*******
    2.3ApplicationOpenldapOpenldap2.3.24*******
    2.3ApplicationOpenldapOpenldap2.3.25*******
    2.3ApplicationOpenldapOpenldap2.3.26*******
    2.3ApplicationOpenldapOpenldap2.3.27*******
    2.3ApplicationOpenldapOpenldap2.3.28*******
    2.3ApplicationOpenldapOpenldap2.3.29*******
    2.3ApplicationOpenldapOpenldap2.3.30*******
    2.3ApplicationOpenldapOpenldap2.3.31*******
    2.3ApplicationOpenldapOpenldap2.3.32*******
    2.3ApplicationOpenldapOpenldap2.3.33*******
    2.3ApplicationOpenldapOpenldap2.3.34*******
    2.3ApplicationOpenldapOpenldap2.3.35*******
    2.3ApplicationOpenldapOpenldap2.3.36*******
    2.3ApplicationOpenldapOpenldap2.3.37*******
    2.3ApplicationOpenldapOpenldap2.3.38*******
    2.3ApplicationOpenldapOpenldap2.3.39*******
    2.3ApplicationOpenldapOpenldap2.3.40*******
    2.3ApplicationOpenldapOpenldap2.3.41*******
    2.3ApplicationOpenldapOpenldap2.3.42*******
    2.3ApplicationOpenldapOpenldap2.3.43*******
    2.3ApplicationOpenldapOpenldap2.4.10*******

Vulnerable Software List

VendorProductVersions
Openldap Openldap 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 2.3.19, 2.3.20, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.3.38, 2.3.39, 2.3.4, 2.3.40, 2.3.41, 2.3.42, 2.3.43, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.4.10

References

NameSourceURLTags
APPLE-SA-2008-07-31http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlAPPLE
SUSE-SR:2008:021http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.htmlSUSE
30853http://secunia.com/advisories/30853SECUNIAVendor Advisory
30917http://secunia.com/advisories/30917SECUNIAVendor Advisory
30996http://secunia.com/advisories/30996SECUNIAVendor Advisory
31326http://secunia.com/advisories/31326SECUNIAVendor Advisory
31364http://secunia.com/advisories/31364SECUNIAVendor Advisory
31436http://secunia.com/advisories/31436SECUNIAVendor Advisory
32254http://secunia.com/advisories/32254SECUNIAVendor Advisory
32316http://secunia.com/advisories/32316SECUNIAVendor Advisory
GLSA-200808-09http://security.gentoo.org/glsa/glsa-200808-09.xmlGENTOO
http://wiki.rpath.com/Advisories:rPSA-2008-0249http://wiki.rpath.com/Advisories:rPSA-2008-0249CONFIRM
DSA-1650http://www.debian.org/security/2008/dsa-1650DEBIAN
MDVSA-2008:144http://www.mandriva.com/security/advisories?name=MDVSA-2008:144MANDRIVA
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580CONFIRM
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580CONFIRM
[oss-security 20080701 Re: [oss-security] openldap DoShttp://www.openwall.com/lists/oss-security/2008/07/01/2MLIST
[oss-security] 20080713 Re: openldap DoShttp://www.openwall.com/lists/oss-security/2008/07/13/2MLIST
RHSA-2008:0583http://www.redhat.com/support/errata/RHSA-2008-0583.htmlREDHAT
20080811 rPSA-2008-0249-1 openldap openldap-clients openldap-servershttp://www.securityfocus.com/archive/1/495320/100/0/threadedBUGTRAQ
30013http://www.securityfocus.com/bid/30013BID
1020405http://www.securitytracker.com/id?1020405SECTRACK
USN-634-1http://www.ubuntu.com/usn/usn-634-1UBUNTU
ADV-2008-1978http://www.vupen.com/english/advisories/2008/1978/referencesVUPENVendor Advisory
ADV-2008-2268http://www.vupen.com/english/advisories/2008/2268VUPENVendor Advisory
http://www.zerodayinitiative.com/advisories/ZDI-08-052/http://www.zerodayinitiative.com/advisories/ZDI-08-052/MISC
openldap-bergetnext-dos(43515)https://exchange.xforce.ibmcloud.com/vulnerabilities/43515XF
https://issues.rpath.com/browse/RPL-2645https://issues.rpath.com/browse/RPL-2645CONFIRM
oval:org.mitre.oval:def:10662https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10662OVAL
FEDORA-2008-6029https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00109.htmlFEDORA
FEDORA-2008-6062https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00129.htmlFEDORA