CVE-2017-14623

HIGH

go-ldap < 2.5.0 - Improper Authentication via Empty Password

Title source: llm

Description

In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

References (2)

Core 2

Core References

Issue Tracking, Patch x_refsource_confirm

https://github.com/go-ldap/ldap/pull/126

Patch x_refsource_confirm

https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0167

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

go-ldap/ldap 0 - 2.5.0Go

go-ldap_project/ldap < 2.5.0

Published Sep 20, 2017

Tracked Since Feb 18, 2026