Search

Find a vulnerability

Search criteria

    2 vulnerabilities by YugaByte, Inc.

    CVE-2022-37397 (GCVE-0-2022-37397)

    Vulnerability from nvd – Published: 2022-08-12 18:01 – Updated: 2024-08-03 10:29
    VLAI
    Title
    The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory
    Summary
    An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.
    CWE
    Assigner
    References
    URL Tags
    https://www.yugabyte.com/ x_refsource_CONFIRM
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:29:21.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "macos, darwin"
              ],
              "product": "Yugabyte DB",
              "vendor": "YugaByte, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.1.0"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-12T18:01:37.000Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to non-vulnerable version 2.6.1.1+"
            }
          ],
          "source": {
            "defect": [
              "PLAT-4383"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory",
          "workarounds": [
            {
              "lang": "en",
              "value": "Disable LDAP for YCQL."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@yugabyte.com",
              "ID": "CVE-2022-37397",
              "STATE": "PUBLIC",
              "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yugabyte DB",
                          "version": {
                            "version_data": [
                              {
                                "platform": "macos, darwin",
                                "version_name": "2.6.1.0",
                                "version_value": "2.6.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "YugaByte, Inc."
                  }
                ]
              }
            },
            "configuration": [
              {
                "lang": "en",
                "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-16 Configuration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.yugabyte.com/",
                  "refsource": "CONFIRM",
                  "url": "https://www.yugabyte.com/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to non-vulnerable version 2.6.1.1+"
              }
            ],
            "source": {
              "defect": [
                "PLAT-4383"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Disable LDAP for YCQL."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2022-37397",
        "datePublished": "2022-08-12T18:01:37.000Z",
        "dateReserved": "2022-08-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T10:29:21.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-37397 (GCVE-0-2022-37397)

    Vulnerability from cvelistv5 – Published: 2022-08-12 18:01 – Updated: 2024-08-03 10:29
    VLAI
    Title
    The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory
    Summary
    An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.
    CWE
    Assigner
    References
    URL Tags
    https://www.yugabyte.com/ x_refsource_CONFIRM
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:29:21.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.yugabyte.com/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "macos, darwin"
              ],
              "product": "Yugabyte DB",
              "vendor": "YugaByte, Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.6.1.0"
                }
              ]
            }
          ],
          "configurations": [
            {
              "lang": "en",
              "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-16",
                  "description": "CWE-16 Configuration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-12T18:01:37.000Z",
            "orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
            "shortName": "Yugabyte"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.yugabyte.com/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to non-vulnerable version 2.6.1.1+"
            }
          ],
          "source": {
            "defect": [
              "PLAT-4383"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory",
          "workarounds": [
            {
              "lang": "en",
              "value": "Disable LDAP for YCQL."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@yugabyte.com",
              "ID": "CVE-2022-37397",
              "STATE": "PUBLIC",
              "TITLE": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yugabyte DB",
                          "version": {
                            "version_data": [
                              {
                                "platform": "macos, darwin",
                                "version_name": "2.6.1.0",
                                "version_value": "2.6.1.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "YugaByte, Inc."
                  }
                ]
              }
            },
            "configuration": [
              {
                "lang": "en",
                "value": "The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft\u2019s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-16 Configuration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.yugabyte.com/",
                  "refsource": "CONFIRM",
                  "url": "https://www.yugabyte.com/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to non-vulnerable version 2.6.1.1+"
              }
            ],
            "source": {
              "defect": [
                "PLAT-4383"
              ],
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Disable LDAP for YCQL."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078",
        "assignerShortName": "Yugabyte",
        "cveId": "CVE-2022-37397",
        "datePublished": "2022-08-12T18:01:37.000Z",
        "dateReserved": "2022-08-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T10:29:21.063Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }