CVE-2017-8028
HIGHSpring-LDAP 1.3.0-2.3.1 - Improper Authentication via DefaultTlsDirContextAuthenticationStrategy
Title source: llmDescription
In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.
References (5)
Core 5
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0319
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4046
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/11/msg00026.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2017-8028
Scores
CVSS v3
8.1
EPSS
0.0261
EPSS Percentile
83.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (16)
debian/debian_linux
8.0
n/a/Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
Spring-LDAP Spring-LDAP versions 1.3.0 2.3.1
org.springframework.ldap/spring-ldap-core
1.3.0 - 2.3.2Maven
pivotal_software/spring-ldap
1.3.0
pivotal_software/spring-ldap
1.3.1 (2 CPE variants)
pivotal_software/spring-ldap
1.3.2
pivotal_software/spring-ldap
2.0.0
pivotal_software/spring-ldap
2.0.1
pivotal_software/spring-ldap
2.0.2
pivotal_software/spring-ldap
2.0.3
... and 6 more
Published
Nov 27, 2017
Tracked Since
Feb 18, 2026