Sun's Java Directory Server allows unauthorized data modifications
Two vulnerabilities in Sun's Java System Directory Server may make it possible for users to gain unauthorized access to data both on local platforms and on the net. The vendor's security reports, however, do not reveal any details about these holes. What has been divulged is that the first vulnerability can expose information on the existence of normally concealed database entry attributes without authorization. Apparently, by using the second vulnerability, an unprivileged attacker could then make data modifications which normally require root privileges.
The vendor classifies the products Sun ONE Directory Server 5.1 and 5.2, Sun Java System Directory Server 5 (5.2 patch 1 to 4) and Sun Java Directory Server Enterprise Edition (DSEE) 6.0 on all supported platforms, as being affected by the vulnerabilities. Sun has included links in the security reports to updates that eliminate the faults.
- Security Vulnerability in Sun Java System Directory Server Leaks Information About Existence of Attributes, security report from Sun
- Security Vulnerability in Sun Java System Directory Server May Allow Unauthorized Data Modifications, error report from Sun