Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:5331
HistoryOct 25, 2017 - 7:50 a.m.

Authentication Bypass

2017-10-2507:50:22
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10

EPSS

0.004

Percentile

74.4%

spring-ldap-core is vulnerable to authentication bypass. If no additional attributes are bound when connecting to a LDAP server which uses BindAuthenticator with the DefaultTlsDirContextAuthenticationStrategy strategy, an attacker can set userSearch and pass a valid username with an arbitrary password to bypass the authentication strategy. This is because the LDAP bind isn’t correctly invoked.