Authentication bypass through OpenLDAP configuration
CVE-2024-10127

9.2CRITICAL

Key Information:

Vendor: M-files Corporation
Status: M-files Server
Vendor: CVE Published:; 20 November 2024

🔔 Create M-files Corporation Vulnerability Alert

What is CVE-2024-10127?

The M-Files Server has a vulnerability that allows unauthorized access through an authentication bypass condition in its LDAP authentication implementation. This issue arises in versions earlier than 24.11 where the server's configuration permits user authentication without a password if the LDAP setup is vulnerable. This flaw poses significant risks to users relying on LDAP for authentication and can lead to unauthorized access to sensitive information.

Affected Version(s)

M-Files Server Windows 0 < 24.11

M-Files Server Windows 0 < 24.8 LTS SR2

References

https://product.m-files.com/security-advisories/CVE-2024-...

vendor-advisory

https://empower.m-files.com/security-advisories/CVE-2024-...

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 20, 2024
Vulnerability Reserved
Oct 18, 2024

CVE-2024-10127 Data

JSON