CVE-2007-6714

DBMail <2.2.9 - Auth Bypass

Title source: llm

Description

DBMail before 2.2.9, when using authldap with an LDAP server that supports anonymous login such as Active Directory, allows remote attackers to bypass authentication via an empty password, which causes the LDAP bind to indicate success based on anonymous authentication.

References (13)

[Patch] http://dbmail.org/index.php?page=news&id=44

[Third Party Advisory] http://www.gentoo.org/security/en/glsa/glsa-200804-24.xml

[Mailing List] http://www.mail-archive.com/dbmail-dev%40dbmail.org/msg09942.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00549.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00585.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/28849

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/41907

[Third Party Advisory, VDB Entry] http://osvdb.org/44561

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1019914

[Third Party Advisory] http://secunia.com/advisories/29903

[Third Party Advisory] http://secunia.com/advisories/29937

[Third Party Advisory] http://secunia.com/advisories/29984

[Third Party Advisory] http://www.vupen.com/english/advisories/2008/1321/references

Scores

EPSS 0.0143

EPSS Percentile 80.5%

Classification

CWE

CWE-287

Status draft

Affected Products (9)

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

dbmail/dbmail

Timeline

Published Apr 17, 2008

Tracked Since Feb 18, 2026