A flaw was found in the "deref" plugin of 389-ds-base where it could use the "search" permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes