Bug 1109628 (CVE-2014-3999)

Summary: CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jrusnack, nb, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20140603,reported=20140605,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N,fedora-all/php-horde-Horde-Ldap=notaffected,epel-all/php-horde-Horde-Ldap=notaffected,cwe=CWE-20->CWE-305
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-16 02:03:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1104961, 1104962    
Bug Blocks:    

Description Murray McAllister 2014-06-16 02:00:43 UTC
Matthew Daley reported an issue in Horde LDAP where, if a user knew the LDAP bind user's DN, they could login without supplying a password. This has been fixed in version 2.0.6:

https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55

It has been fixed in Fedora via bug 1104961, and EPEL 6 via bug 1104962.

Full details available in http://seclists.org/oss-sec/2014/q2/504