1109628 – (CVE-2014-3999) CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password

Bug 1109628 (CVE-2014-3999) - CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password

Summary: CVE-2014-3999 php-horde-Horde-Ldap: connect to LDAP without knowing the password

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3999
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1104961 1104962
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-16 02:00 UTC by Murray McAllister
Modified:	2019-09-29 13:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-16 02:03:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-06-16 02:00:43 UTC

Matthew Daley reported an issue in Horde LDAP where, if a user knew the LDAP bind user's DN, they could login without supplying a password. This has been fixed in version 2.0.6:

https://github.com/horde/horde/commit/8f719b53b0ee2d4b8a40a770430683c98fb5f2fd
https://github.com/horde/horde/commit/4c3e18f1724ab39bfef10c189a5b52036a744d55

It has been fixed in Fedora via bug 1104961, and EPEL 6 via bug 1104962.

Full details available in http://seclists.org/oss-sec/2014/q2/504

Note You need to log in before you can comment on or make changes to this bug.