CVE-2024-5953: 389-ds-base: malformed userpassword hash may cause denial of service
First published: Thu Jun 13 2024(Updated: )
A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash or hang while authenticating with an user having a malformed userPassword. By default only the administrator may directly add hashed password that can trigger the issue. But if nsslapd-allow-hashed-passwords config parameter is turned on, any user can trigger the issue. The problem is triggered by adding a password to an user using the hashed format (with a hash value too long for the specified hash scheme) Then later on when trying to authenticate on that user its triggers the buffer overflow By default, only administrators are allowed to add hashed passwords but there is a configuration parameter (nsslapd-allow-hashed-passwords) allowing any users to add hashed passwords and potentially trigger the DoS. This vulnerability affects versions: >= 1.3.7.2
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| 389 Directory Server | >=1.3.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:4633
- https://access.redhat.com/errata/RHSA-2024:4997
- https://access.redhat.com/errata/RHSA-2024:5192
- https://access.redhat.com/errata/RHSA-2024:5690
- https://access.redhat.com/errata/RHSA-2024:6153
- https://access.redhat.com/errata/RHSA-2024:6568
- https://access.redhat.com/errata/RHSA-2024:6569
- https://access.redhat.com/errata/RHSA-2024:6576
- https://access.redhat.com/errata/RHSA-2024:7458
- https://access.redhat.com/security/cve/CVE-2024-5953
- https://bugzilla.redhat.com/show_bug.cgi?id=2292104
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292109
- https://access.redhat.com/errata/RHSA-2025:1632
Frequently Asked Questions
What is the severity of CVE-2024-5953?
CVE-2024-5953 is classified as a denial of service vulnerability that can lead to server crashes.
How do I fix CVE-2024-5953?
To fix CVE-2024-5953, it is recommended to upgrade to the latest patched version of 389-ds-base.
Who is affected by CVE-2024-5953?
CVE-2024-5953 affects users of the 389-ds-base LDAP server version 1.3.7.2 and later.
What causes the CVE-2024-5953 vulnerability?
CVE-2024-5953 is caused by the server crashing or hanging when an authenticated user attempts to authenticate with a malformed userPassword.
Can unauthenticated users exploit CVE-2024-5953?
No, CVE-2024-5953 requires an authenticated user to exploit the vulnerability.
- agent/title
- agent/type
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/source
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-5953
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/389-ds
- canonical/389 directory server