In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: dell
Published: 2017-11-27T10:00:00
Updated: 2024-08-05T16:19:29.484Z
Reserved: 2017-04-21T00:00:00
Link: CVE-2017-8028
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-11-27T10:29:00.720
Modified: 2024-11-21T03:33:10.940
Link: CVE-2017-8028
Redhat