CVE-2014-4668

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.

Published: Jul 2, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-4668
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
fedoraproject / fedora	22	22.x
fedoraproject / fedora	20	20.x
fedoraproject / fedora	21	21.x
mageia_project / mageia	4	4.x
cherokee-project / cherokee	1.2.99	1.2.99.x
cherokee-project / cherokee	1.2.2	1.2.2.x
cherokee-project / cherokee	-	1.2.103.x
cherokee-project / cherokee	1.2.101	1.2.101.x
cherokee-project / cherokee	1.2.98	1.2.98.x
cherokee-project / cherokee	1.2.102	1.2.102.x

http://advisories.mageia.org/MGASA-2015-0181.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155776.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156162.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156190.html
http://openwall.com/lists/oss-security/2014/06/28/3
http://openwall.com/lists/oss-security/2014/06/28/7
http://www.mandriva.com/security/advisories?name=MDVSA-2015:225
http://www.securityfocus.com/bid/68249
https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88

Vulnerability Database

289,599

CVE-2014-4668