Improper Authentication in Pivotal Spring-LDAP

GHSA-pjqh-2jcc-5j84 · CVE-2017-8028

Published May 13, 2022 · Modified Apr 10, 2024

Description

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-8028
WEB https://github.com/spring-projects/spring-ldap/commit/08e8ae289bbd1b581986c7238604a147119c1336
WEB https://access.redhat.com/errata/RHSA-2018:0319
PACKAGE https://github.com/spring-projects/spring-ldap
WEB https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html
WEB https://pivotal.io/security/cve-2017-8028
WEB https://www.debian.org/security/2017/dsa-4046
WEB https://www.oracle.com/security-alerts/cpujan2021.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes