CVE-2017-14623

In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

CVSS v3 8.1 HIGH
CVSS v2.0 5.1 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66	Patch
https://github.com/go-ldap/ldap/pull/126	Issue Tracking Patch
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66	Patch
https://github.com/go-ldap/ldap/pull/126	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:go-ldap_project:ldap:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:13

Type	Values Removed	Values Added
References	~~() https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 - Patch~~	() https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 - Patch
References	~~() https://github.com/go-ldap/ldap/pull/126 - Issue Tracking, Patch~~	() https://github.com/go-ldap/ldap/pull/126 - Issue Tracking, Patch

13 Feb 2024, 17:23

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/go-ldap/ldap/pull/126 - Patch, Third Party Advisory~~	(CONFIRM) https://github.com/go-ldap/ldap/pull/126 - Issue Tracking, Patch

Information

Published : 2017-09-20 23:29

Updated : 2024-11-21 03:13

NVD link : CVE-2017-14623

Mitre link : CVE-2017-14623

CVE.ORG link : CVE-2017-14623

JSON object : View

Products Affected

go-ldap_project

ldap

CWE

CWE-287

Improper Authentication

{"id": "CVE-2017-14623", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2017-09-20T23:29:00.247", "references": [{"url": "https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/go-ldap/ldap/pull/126", "tags": ["Issue Tracking", "Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/go-ldap/ldap/pull/126", "tags": ["Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind."}, {"lang": "es", "value": "En el paquete ldap.v2 (tambi\u00e9n conocido como go-ldap) hasta la versi\u00f3n 2.5.0 para Go, un atacante podr\u00eda ser capaz de iniciar sesi\u00f3n con una contrase\u00f1a vac\u00eda. Este problema afecta a una aplicaci\u00f3n que usa este paquete si se cumplen las siguientes condiciones: (1) solo depende del error de retorno de la llamada de funci\u00f3n Bind para determinar si un usuario est\u00e1 autorizado (por ejemplo, si se interpreta un valor nulo como una autorizaci\u00f3n con \u00e9xito) y (2) se emplea con un servidor LDAP que permita el enlace sin autenticaci\u00f3n."}], "lastModified": "2024-11-21T03:13:13.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go-ldap_project:ldap:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5AFC31F6-1078-4377-AEF0-6249089C93B3", "versionEndIncluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}