Lucene search

[email protected]CVE-2007-4364

HistoryAug 15, 2007 - 7:17 p.m.

CVE-2007-4364

2007-08-1519:17:00

CWE-287

[email protected]

web.nvd.nist.gov

cve-2007-4364

fedora commons

authentication bypass

ldap

jndi

security vulnerability

7.8 High

AI Score

Confidence

Low

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

79.2%

JSON

Fedora Commons before 2.2.1 does not properly handle certain authentication requests involving Java Naming and Directory Interface (JNDI), related to (1) a nonexistent account name in combination with an empty password, which allows remote attackers to trigger a certain “unexpected / strange response” from an LDAP server, and (2) a reauthentication attempt that throws an exception, which allows remote attackers to trigger use of a cached authentication decision. NOTE: authentication can be bypassed by using vector 1 followed by vector 2, and possibly can be bypassed by using a single vector.

CPENameOperatorVersion
fedoraproject:commonsfedoraproject commonsle2.2

CPE	Name	Operator	Version
fedoraproject:commons	fedoraproject commons	le	2.2

References

osvdb.org/39548

secunia.com/advisories/26445

sourceforge.net/project/shownotes.php?release_id=531870

sourceforge.net/tracker/index.php?func=detail&aid=1731608&group_id=177054&atid=879703

www.securityfocus.com/bid/25317

exchange.xforce.ibmcloud.com/vulnerabilities/36005

7.8 High

AI Score

Confidence

Low

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

79.2%

JSON

Related for CVE-2007-4364

prion1