CVE-2020-35518: 
Alibaba Cloud Linux (Aliyun Linux) vulnerability analysis and mitigation

CVE-2020-35518 is a security vulnerability discovered in 389-ds-base, affecting the LDAP authentication process. The vulnerability was identified in December 2020 and allows an unauthenticated attacker to determine whether specific entries exist in the LDAP database based on different responses during DN binding authentication (CVE Mitre).

The vulnerability exists in the authentication mechanism where binding against a DN produces different responses depending on whether the DN exists or not. When attempting to bind to a non-existent DN, the server would return error 49 instead of error 32, and when binding to an entry without a userpassword attribute, it would return error 48 (inappropriate auth), inadvertently disclosing the entry's existence (Red Hat Bugzilla).

This vulnerability allows an unauthenticated attacker to enumerate valid entries in the LDAP database by observing different error messages returned during authentication attempts. This information disclosure could be used as a stepping stone for further attacks by helping attackers identify valid user accounts (Red Hat Advisory).

The issue has been fixed in 389-ds-base versions 2.0.3, 1.4.4.13, and 1.4.3.19. The fix modifies the server response to always return error 49 (Invalid Credentials) regardless of whether the entry exists or not, eliminating the information disclosure (GitHub Commit).