CVE-2007-6714

DBMail < 2.2.9 - Unauthenticated Authentication Bypass via Empty LDAP Password

Title source: llm
STIX 2.1

Description

DBMail before 2.2.9, when using authldap with an LDAP server that supports anonymous login such as Active Directory, allows remote attackers to bypass authentication via an empty password, which causes the LDAP bind to indicate success based on anonymous authentication.

References (13)

Core 13
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200804-24.xml
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28849
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41907
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/44561
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29903
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019914
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29984
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/1321/references
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29937
Mailing List mailing-list x_refsource_mlist
http://www.mail-archive.com/dbmail-dev%40dbmail.org/msg09942.html

Scores

EPSS 0.0239
EPSS Percentile 81.9%

Details

CWE
CWE-287
Status published
Products (3)
dbmail/dbmail 2.2.6 (2 CPE variants)
dbmail/dbmail 2.2.7 (5 CPE variants)
dbmail/dbmail 2.2.8 (2 CPE variants)
Published Apr 17, 2008
Tracked Since Feb 18, 2026