QwikSec

Security Database

CVE

CWE

Training

CVE-2017-8028

Published: Nov 27, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Vendor	Product	Versions
n/a	Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1	affected `Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1`

References

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_DEBIAN

[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update

mailing-list

x_refsource_MLIST

https://www.oracle.com/security-alerts/cpujan2021.html

x_refsource_MISC

https://pivotal.io/security/cve-2017-8028

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.