CVE-2014-8088
Zend Framework < 1.12.7 and 2.x < 2.2.8 - Authentication Bypass via Null Byte in LDAP Password
Title source: llmDescription
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141070.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/10/10/5
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141106.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70378
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3265
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/97038
Scores
EPSS
0.0249
EPSS Percentile
82.7%
Details
CWE
CWE-287
Status
published
Products (19)
zend/zend_framework
1.12.0 (5 CPE variants)
zend/zend_framework
1.12.1
zend/zend_framework
1.12.2
zend/zend_framework
1.12.3
zend/zend_framework
1.12.5
zend/zend_framework
2.0.0
zend/zend_framework
2.01
zend/zend_framework
2.2.2
zend/zend_framework
2.2.3
zend/zend_framework
2.2.4
... and 9 more
Published
Oct 22, 2014
Tracked Since
Feb 18, 2026