8.1

CVE-2017-8028

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pivotal SoftwareSpring-ldap Version1.3.0
Pivotal SoftwareSpring-ldap Version1.3.1
Pivotal SoftwareSpring-ldap Version1.3.1 Updaterc1
Pivotal SoftwareSpring-ldap Version1.3.2
Pivotal SoftwareSpring-ldap Version2.0.0
Pivotal SoftwareSpring-ldap Version2.0.1
Pivotal SoftwareSpring-ldap Version2.0.2
Pivotal SoftwareSpring-ldap Version2.0.3
Pivotal SoftwareSpring-ldap Version2.0.4
Pivotal SoftwareSpring-ldap Version2.1.0
Pivotal SoftwareSpring-ldap Version2.2.0
Pivotal SoftwareSpring-ldap Version2.2.1
Pivotal SoftwareSpring-ldap Version2.3.0
Pivotal SoftwareSpring-ldap Version2.3.1
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.61% 0.834
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 5.1 4.9 6.4
AV:N/AC:H/Au:N/C:P/I:P/A:P
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.oracle.com/security-alerts/cpujan2021.html
https://access.redhat.com/errata/RHSA-2018:0319
https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html
https://pivotal.io/security/cve-2017-8028
Vendor Advisory
Issue Tracking
https://www.debian.org/security/2017/dsa-4046
Third Party Advisory
Issue Tracking