LDAP Authentication Flaw in Pivotal Spring-LDAP Affects Multiple Versions
CVE-2017-8028
8.1HIGH
Key Information:
- Vendor
Pivotal Software
- Vendor
- CVE Published:
- 27 November 2017
What is CVE-2017-8028?
In specific versions of Pivotal Spring-LDAP, a vulnerability exists that allows an attacker to bypass authentication when connecting to certain LDAP servers. This issue arises when using the LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy, and an effective user search is performed with a correct username. If no additional attributes are bound, authentication may succeed with any password. This behaviour is due to the requirement of an explicit operation by some LDAP vendors for the bind operation to be properly executed.
Affected Version(s)
Spring-LDAP Spring-LDAP 1.3.0 2.3.1 Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
