In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.
Upstream patch:
https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66
Upstream issue:
https://github.com/go-ldap/ldap/pull/126
Statement:
This issues affects the version of go-ldap/ldap with Red Hat OpenShift Container Platform (OCP) 3.11. However OpenShift explicitly checks for blank passwords in order to prevent anonymous LDAP binds. As the OpenShift 3.11 product packages the vulnerable library, it is affected, but is set to wontfix. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
The 'oc cli' in OCP 3.11 and 4.x also contains the vulnerable go-ldap/ldap library. However, while the oc binary does allow anonymous binds any unauthenticated binds are not possible. Hence the oc cli is marked affected (as it includes the library), but is set to wontfix - this may be addressed in a future release.