vulnerability
Debian: CVE-2017-8028: libspring-ldap-java -- security update
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
5 | (AV:N/AC:H/Au:N/C:P/I:P/A:P) | Nov 22, 2017 | Nov 23, 2017 | Nov 27, 2024 |
Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
Nov 22, 2017
Added
Nov 23, 2017
Modified
Nov 27, 2024
Description
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
Solution
debian-upgrade-libspring-ldap-java

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.