A vulnerability was found in Univention Corporate Server up to 12.0.1-3. It has been rated as problematic. Affected by this issue is the function data_on_connection of the file src/callback.c of the component univention-directory-notifier. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.

The weakness was presented 07/17/2019. This vulnerability is handled as CVE-2019-1010283 since 03/20/2019. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 12.0.1-4 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Name

• Univention Corporate Server

Version

• 12.0.1-3

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion