CVE-2017-11501

MEDIUM

NixOS <17.03 - Info Disclosure

Title source: llm

Description

NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.

References (3)

[Mailing List, Mitigation, Patch, Third Party Advisory] http://openwall.com/lists/oss-security/2017/07/20/1

[Issue Tracking, Third Party Advisory] https://github.com/NixOS/nixpkgs/issues/27506

[Mailing List] https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk

Scores

CVSS v3 5.9

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-295

Status published

Products (2)

nixos_project/nixos < 17.03

n/a/n/a

Published Jul 20, 2017

Tracked Since Feb 18, 2026