Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for spring-ldap by pivotal_software

    CVE-2017-8028 (GCVE-0-2017-8028)

    Vulnerability from nvd – Published: 2017-11-27 10:00 – Updated: 2024-08-05 16:19
    VLAI
    Summary
    In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
    Severity
    No CVSS data available.
    CWE
    • authentication with arbitrary password
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1 Affected: Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
    Date Public
    2017-11-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:19:29.484Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0319",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0319"
              },
              {
                "name": "DSA-4046",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-4046"
              },
              {
                "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2017-8028"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
                }
              ]
            }
          ],
          "datePublic": "2017-11-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "authentication with arbitrary password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:41:58.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "RHSA-2018:0319",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0319"
            },
            {
              "name": "DSA-4046",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-4046"
            },
            {
              "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2017-8028"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secure@dell.com",
              "ID": "CVE-2017-8028",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "authentication with arbitrary password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0319",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0319"
                },
                {
                  "name": "DSA-4046",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-4046"
                },
                {
                  "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                },
                {
                  "name": "https://pivotal.io/security/cve-2017-8028",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2017-8028"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2017-8028",
        "datePublished": "2017-11-27T10:00:00.000Z",
        "dateReserved": "2017-04-21T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:19:29.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-8028 (GCVE-0-2017-8028)

    Vulnerability from cvelistv5 – Published: 2017-11-27 10:00 – Updated: 2024-08-05 16:19
    VLAI
    Summary
    In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
    Severity
    No CVSS data available.
    CWE
    • authentication with arbitrary password
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1 Affected: Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
    Date Public
    2017-11-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:19:29.484Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:0319",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:0319"
              },
              {
                "name": "DSA-4046",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2017/dsa-4046"
              },
              {
                "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://pivotal.io/security/cve-2017-8028"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
                }
              ]
            }
          ],
          "datePublic": "2017-11-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "authentication with arbitrary password",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-20T14:41:58.000Z",
            "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
            "shortName": "dell"
          },
          "references": [
            {
              "name": "RHSA-2018:0319",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:0319"
            },
            {
              "name": "DSA-4046",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2017/dsa-4046"
            },
            {
              "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://pivotal.io/security/cve-2017-8028"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secure@dell.com",
              "ID": "CVE-2017-8028",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "authentication with arbitrary password"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:0319",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:0319"
                },
                {
                  "name": "DSA-4046",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2017/dsa-4046"
                },
                {
                  "name": "[debian-lts-announce] 20171119 [SECURITY] [DLA 1180-1] libspring-ldap-java security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
                },
                {
                  "name": "https://pivotal.io/security/cve-2017-8028",
                  "refsource": "CONFIRM",
                  "url": "https://pivotal.io/security/cve-2017-8028"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "assignerShortName": "dell",
        "cveId": "CVE-2017-8028",
        "datePublished": "2017-11-27T10:00:00.000Z",
        "dateReserved": "2017-04-21T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:19:29.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }