CVE-2022-2850: 
NixOS vulnerability analysis and mitigation

CVE-2022-2850 is a security vulnerability discovered in 389-ds-base, an open source LDAP server for Linux. When the Content Synchronization plugin is enabled, an authenticated user can trigger a NULL pointer dereference using a specially crafted query. This vulnerability was disclosed in August 2022 and is notably an incomplete fix of a previous vulnerability (CVE-2021-3514) (CVE Details, Debian Security).

The vulnerability occurs specifically in the Content Synchronization plugin's syncrepl functionality. When a malformed cookie is supplied (e.g., with a value like 'sync=rp/foo'), it triggers a NULL pointer dereference in the synccookieisvalid function within the syncutil.c file. The issue manifests in the syncsrchrefreshpresearch operation, leading to a segmentation fault (Red Hat Bugzilla).

The vulnerability allows an authenticated attacker to cause a denial of service condition in the 389-ds-base server. When successfully exploited, the attack results in the server crashing due to a segmentation fault, potentially disrupting LDAP services (CVE Details, Red Hat Bugzilla).

Multiple vendors have released patches to address this vulnerability. Red Hat has released security updates through various advisories including RHSA-2022:7087, RHSA-2022:7133, and RHSA-2022:8162. Debian has also addressed this issue in version 1.4.0.21-1+deb10u1 for Debian 10 (Debian LTS, Red Hat Bugzilla).