Bug 1109628 (CVE-2014-3999) - CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password
Summary: CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3999
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140603,repor...
Depends On: 1104961 1104962
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-16 02:00 UTC by Murray McAllister
Modified: 2019-06-08 20:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-16 02:03:15 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-06-16 02:00:43 UTC
Matthew Daley reported an issue in Horde LDAP where, if a user knew the LDAP bind user's DN, they could login without supplying a password. This has been fixed in version 2.0.6:

https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55

It has been fixed in Fedora via bug 1104961, and EPEL 6 via bug 1104962.

Full details available in http://seclists.org/oss-sec/2014/q2/504


Note You need to log in before you can comment on or make changes to this bug.