CVE

GHSA-pjqh-2jcc-5j84

Improper Authentication in Pivotal Spring-LDAP

CVE

GHSA-pjqh-2jcc-5j84

Improper Authentication in Pivotal Spring-LDAP

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Package Versions Affected

org.springframework.ldap:spring-ldap-core 2.3.1.RELEASE

Available

Unavailable

org.springframework.ldap:spring-ldap 1.3.1.RELEASE

Available

Unavailable

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.1

3.0

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1

3.0

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2017-8028, https://github.com/spring-projects/spring-ldap/commit/08e8ae289bbd1b581986c7238604a147119c1336, https://access.redhat.com/errata/RHSA-2018:0319, https://github.com/spring-projects/spring-ldap, https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html, https://pivotal.io/security/cve-2017-8028, https://www.debian.org/security/2017/dsa-4046, https://www.oracle.com/security-alerts/cpujan2021.html

Severity

8.1

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.1

EPSS Probability

0.01283%

EPSS Percentile

0.79156%

Introduced Version

1.3.0.RELEASE

Fix Available

2.3.2.RELEASE

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-pjqh-2jcc-5j84