In the ldap.v2 (aka go-ldap) package up to and including 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
go-ldap project ldap |