CVE-2011-1025

Openldap - Authentication Bypass

Title source: rule

Description

bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password.

References (15)

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2011:056

[Vendor Advisory] http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

[Vendor Advisory] http://secunia.com/advisories/43331

[Third Party Advisory] http://secunia.com/advisories/43718

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1025190

[Patch] http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff?r1=1.5&r2=1.8

[Various Sources] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661

[Various Sources] http://www.openldap.org/lists/openldap-announce/201102/msg00000.html

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2011-0347.html

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1100-1

[Vendor Advisory] http://www.vupen.com/english/advisories/2011/0665

[Patch] https://bugzilla.redhat.com/show_bug.cgi?id=680472

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201406-36.xml

[Mailing List] http://openwall.com/lists/oss-security/2011/02/24/12

[Mailing List] http://openwall.com/lists/oss-security/2011/02/25/13

Scores

EPSS 0.0728

EPSS Percentile 91.5%

Classification

CWE

CWE-287

Status draft

Affected Products (18)

openldap/openldap

... and 3 more

Timeline

Published Mar 20, 2011

Tracked Since Feb 18, 2026