Matthew Daley reported the following flaw: "" Cherokee supports authenticating users via LDAP. It does not ensure that users provide a non-empty password when doing so. If the underlying LDAP server allows unauthenticated binds (see RFC 4513, section 5.1.2: <http://tools.ietf.org/html/rfc4513#section-5.1.2>), an unauthenticated bind will be performed and not the name/password-based authenticated bind that Cherokee is expecting. This success of this bind will cause Cherokee to authenticate the user. This allows an attacker to authenticate as a user for which they only know the username and not the password. Affected versions: current releases (<= 1.2.103) "" Upstream fix: https://github.com/cherokee/webserver/commit/fbda667221c51f0aa476a02366e0cf66cb012f88 Original report: http://seclists.org/oss-sec/2014/q2/698
Created cherokee tracking bugs for this issue: Affects: fedora-all [bug 1114461] Affects: epel-all [bug 1114463]
cherokee-1.2.103-6.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.