CVE-2018-1337

CRITICAL

Apache Directory LDAP API < 1.0.2 - Exposure of Sensitive Information via TLS Handshake Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1337. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only interface definitions and basic utility classes from the Apache Directory API, with no exploit code or technical analysis related to CVE-2018-1337. It appears to be a partial or incomplete snapshot of the vulnerable library rather than a functional PoC or writeup.

Description

In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-1337-directory-ldap-api-vulnerable

View Code ZIP pw:eip

The repository contains only interface definitions and basic utility classes from the Apache Directory API, with no exploit code or technical analysis related to CVE-2018-1337. It appears to be a partial or incomplete snapshot of the vulnerable library rather than a functional PoC or writeup.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Directory LDAP API

No auth needed

Prerequisites: None

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-1337-directory-ldap-api-vulnerable

View Code ZIP pw:eip

The repository contains only interface definitions and basic utility classes from the Apache Directory API, with no exploit code or vulnerability demonstration. It appears to be a partial snapshot of the vulnerable codebase without any PoC or analysis.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Directory LDAP API

No auth needed

Prerequisites: Access to vulnerable Apache Directory LDAP API

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104744

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/d66081195e9a02ee7cc20fb243b60467d1419586eed28297d820768f%40%3Cdev.directory.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r1a258430d820a90ff9d4558319296cc517ff2252327d7b3546d16749%40%3Cjira.kafka.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r56b304fb9960c869995efbb31da3b9b7c6d53ee31f7f7048eb80434b%40%3Cdev.kafka.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r55e74532e7f9e84ecfa56b4e0a50a5fe0ba6f7a76880520e4400b0d7%40%3Cjira.kafka.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r4da40aa50cfdb2158898f2bc6df81feec1d42c6a06db6537d5cc0496%40%3Cjira.kafka.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r0e645b3f6ca977dc60b7cec231215c59a9471736c2402c1fef5a0616%40%3Cjira.kafka.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r1815fb5b0c345f571c740e7a1b48d7477647edd4ffcf9d5321e69446%40%3Cdev.kafka.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0266

EPSS Percentile 86.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-200

Status published

Products (2)

apache/directory_ldap_api < 1.0.2

org.apache.directory.api/apache-ldap-api 0 - 1.0.2Maven

Published Jul 10, 2018

Tracked Since Feb 18, 2026