Published: 20/09/2017 Updated: 13/02/2024

CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 454

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

In the ldap.v2 (aka go-ldap) package up to and including 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

Vulnerable Product	Search on Vulmon	Subscribe to Product
go-ldap project ldap

Debian Bug report logs - #876404 golang-github-go-ldap-ldap: CVE-2017-14623 Package: src:golang-github-go-ldap-ldap; Maintainer for src:golang-github-go-ldap-ldap is Debian Go Packaging Team <pkg-go-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 21 Sep 2017 19:15 ...

In the ldapv2 (aka go-ldap) package through 250 for Go, an attacker may be able to login with an empty password This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (ie, a nil return value is interpreted as s ...

CWE-287 https://github.com/go-ldap/ldap/pull/126 https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876404 https://nvd.nist.gov

CVE-2017-14623

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect