vulnerability

Ubuntu: (CVE-2017-8028): libspring-ldap-java vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:H/Au:N/C:P/I:P/A:P)	Nov 27, 2017	Nov 19, 2024	Aug 18, 2025

Severity

CVSS

(AV:N/AC:H/Au:N/C:P/I:P/A:P)

Published

Nov 27, 2017

Added

Nov 19, 2024

Modified

Aug 18, 2025

Description

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

Solution

ubuntu-upgrade-libspring-ldap-java

References

CVE-2017-8028
https://attackerkb.com/topics/CVE-2017-8028
CWE-287
DEBIAN-DSA-4046
URL-https://github.com/spring-projects/spring-ldap/issues/430
URL-https://pivotal.io/security/cve-2017-8028
URL-https://www.cve.org/CVERecord?id=CVE-2017-8028

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today