Red Hat Bugzilla – Bug 1599886
CVE-2018-1337 apache-ldap-api: Plaintext Password Disclosure in Secured Channel
Last modified: 2018-09-20 08:23:09 EDT
In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
Created apacheds-ldap-api tracking bugs for this issue:
Affects: fedora-all [bug 1599887]