Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for spring-ldap by pivotal_software
CVE-2017-8028 (GCVE-0-2017-8028)
Vulnerability from nvd – Published: 2017-11-27 10:00 – Updated: 2024-08-05 16:19
VLAI?
Summary
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Severity ?
No CVSS data available.
CWE
- authentication with arbitrary password
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1 |
Affected:
Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
|
Date Public ?
2017-11-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-8028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
}
]
}
],
"datePublic": "2017-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "authentication with arbitrary password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T14:41:58.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-8028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-8028",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
"version": {
"version_data": [
{
"version_value": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "authentication with arbitrary password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:0319",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://pivotal.io/security/cve-2017-8028",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-8028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-8028",
"datePublished": "2017-11-27T10:00:00.000Z",
"dateReserved": "2017-04-21T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:19:29.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8028 (GCVE-0-2017-8028)
Vulnerability from cvelistv5 – Published: 2017-11-27 10:00 – Updated: 2024-08-05 16:19
VLAI?
Summary
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Severity ?
No CVSS data available.
CWE
- authentication with arbitrary password
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1 |
Affected:
Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
|
Date Public ?
2017-11-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2017-8028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
}
]
}
],
"datePublic": "2017-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "authentication with arbitrary password",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T14:41:58.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "RHSA-2018:0319",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2017-8028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2017-8028",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
"version": {
"version_data": [
{
"version_value": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "authentication with arbitrary password"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:0319",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"name": "DSA-4046",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-4046"
},
{
"name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://pivotal.io/security/cve-2017-8028",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2017-8028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2017-8028",
"datePublished": "2017-11-27T10:00:00.000Z",
"dateReserved": "2017-04-21T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:19:29.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}