LDAP Authentication Flaw in Pivotal Spring-LDAP Affects Multiple Versions
CVE-2017-8028

8.1HIGH

What is CVE-2017-8028?

In specific versions of Pivotal Spring-LDAP, a vulnerability exists that allows an attacker to bypass authentication when connecting to certain LDAP servers. This issue arises when using the LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy, and an effective user search is performed with a correct username. If no additional attributes are bound, authentication may succeed with any password. This behaviour is due to the requirement of an explicit operation by some LDAP vendors for the bind operation to be properly executed.

Affected Version(s)

Spring-LDAP Spring-LDAP 1.3.0 2.3.1 Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.