PT-2026-39268

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description Open WebUI fails to validate that passwords are non-empty before performing LDAP Simple Bind authentication. On LDAP servers that permit unauthenticated empty-password binds, an attacker can...

PT-2026-7281

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.6.0 through 7.6.4 Description An authentication bypass issue exists in Fortinet FortiOS. This flaw may allow an unauthenticated attacker to bypass LDAP authentication for Agentless VPN or Fortinet Single Sign-On FSS...

Azure Linux 3.0 Security Update: vitess (CVE-2017-14623)

The version of vitess installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2017-14623 advisory. - In the ldap.v2 aka go-ldap package through 2.5.0 for Go, an attacker May be able to login with an empty...

EUVD-2014-4590

Malware in sbrugna...

EUVD-2003-1424

Malware in sbrugna...

EUVD-2014-8594

Malware in sbrugna...

EUVD-2014-0167

Malware in sbrugna...

EUVD-2021-8757

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2017-14623

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the ldap.v2 aka go-ldap package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this...

CVE-2020-26214

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for...

In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e. a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

...

Security Bulletin: DS8900F DSCLI LDAP Client allows unauthenticated-bind LDAP with valid user name and empty password ( CVE-2024-22326 )

Summary The updates indicated below have been released to address CVE-2024-22326 Deny unauthenticated-bind LDAP connection request. Vulnerability Details CVEID:CVE-2024-22326 DESCRIPTION: IBM System Storage DS8000 could allow a remote user to create an LDAP connection with a valid username and...

SUSE CVE-2017-14623

In the ldap.v2 aka go-ldap package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: 1 it relies only on the return error of the Bind function call to determine whether a user is...

CVE-2021-3956

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller XCC firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active...

CVE-2021-3956

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller XCC firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active...

Zend Access Restriction Bypass

The 1 ZendLdap class in Zend before 1.12.9 and 2 Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind...

Symfony Authentication Bypass

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind...

GHSA-72M6-23FF-7Q26 Improper Authentication in Apache WSS4J

The LDAPLoginModule implementation in the Java Authentication and Authorization Service JAAS in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier...

Access Restriction Bypass in go-ldap

In the ldap.v2 aka go-ldap package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: 1 it relies only on the return error of the Bind function call to determine whether a user is...

CVE-2021-21484

LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind...