Lucene search

K
redhatcveRedhat.comRH:CVE-2017-8028
HistoryNov 08, 2017 - 1:52 p.m.

CVE-2017-8028

2017-11-0813:52:28
redhat.com
access.redhat.com
13

EPSS

0.004

Percentile

74.4%

A vulnerability was found in spring-ldap that allows an attacker to authenticate with an arbitrary password. When spring-ldap connected to some LDAP servers, when no additional attributes are bound, when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and when setting userSearch, authentication is allowed with an arbitrary password when the username is correct.