CVE-2024-2199
Rocky Linux vulnerability analysis and mitigation

Overview

A denial of service vulnerability (CVE-2024-2199) was discovered in the 389-ds-base LDAP server. The vulnerability was reported on May 28, 2024, and affects the server's password modification functionality. This security issue specifically impacts authenticated users attempting to modify the userPassword attribute (NVD).

Technical details

The vulnerability occurs in the password modification process within the slapd/modify.c component of the 389-ds-base LDAP server. When an authenticated user attempts to modify the userPassword attribute using malformed input, it can trigger a server crash. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating adjacent network access, low attack complexity, and high availability impact (Red Hat Security).

Impact

The primary impact of this vulnerability is a denial of service condition. When successfully exploited, it can cause the LDAP server to crash, disrupting service availability for all users. The vulnerability requires authentication to exploit, which somewhat limits its potential impact (Red Hat Bugzilla).

Mitigation and workarounds

Red Hat has released security updates to address this vulnerability across multiple product versions. Updates are available through various security advisories including RHSA-2024:3591, RHSA-2024:3837, RHSA-2024:4092, RHSA-2024:4209, RHSA-2024:4210, and RHSA-2024:4235. Users are advised to apply these updates to mitigate the vulnerability (Red Hat Security).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management