Veracode Vulnerability DatabaseVERACODE:24633Authentication Bypass
EPSS
Percentile
74.0%
openldap is vulnerable to authentication bypass. The vulnerability exists as a flaw was found in the way OpenLDAP handled authentication failures being passed from an OpenLDAP slave to the master. If OpenLDAP was configured with a chain overlay and it forwarded authentication failures, OpenLDAP would bind to the directory as an anonymous user and return success, rather than return failure on the authenticated bind. This could allow a user on a system that uses LDAP for authentication to log into a directory-based account without knowing the password.
References
kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
openwall.com/lists/oss-security/2011/02/24/12
openwall.com/lists/oss-security/2011/02/25/13
secunia.com/advisories/43331
secunia.com/advisories/43708
secunia.com/advisories/43718
security.gentoo.org/glsa/glsa-201406-36.xml
securitytracker.com/id?1025188
www.mandriva.com/security/advisories?name=MDVSA-2011:055
www.mandriva.com/security/advisories?name=MDVSA-2011:056
www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0
www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
www.openldap.org/lists/openldap-announce/201102/msg00000.html
www.openldap.org/lists/openldap-technical/201004/msg00247.html
www.redhat.com/support/errata/RHSA-2011-0346.html
www.redhat.com/support/errata/RHSA-2011-0347.html
www.ubuntu.com/usn/USN-1100-1
www.vupen.com/english/advisories/2011/0665
access.redhat.com/errata/RHSA-2011:0346
access.redhat.com/security/updates/classification/#moderate
bugzilla.novell.com/show_bug.cgi?id=674985
bugzilla.redhat.com/show_bug.cgi?id=680466
Related
